[11550] in bugtraq
Re: IE and cached passwords
daemon@ATHENA.MIT.EDU (Paul Leach (Exchange))
Sat Aug 28 10:28:22 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <19398D273324D3118A2B0008C7E9A569FADF4A@SIT.platinum.corp.microsoft.com>
Date: Fri, 27 Aug 1999 19:04:53 -0700
Reply-To: "Paul Leach (Exchange)" <paulle@EXCHANGE.MICROSOFT.COM>
From: "Paul Leach (Exchange)" <paulle@EXCHANGE.MICROSOFT.COM>
X-To: Justin King <JKing@GFPGROUP.COM>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
The server gets to say, in the WWW-Authenticate challenge header field, for
which "realm" it wants credentials (name+password). If both www.company.com
and www.company.com:81 send the same realm, then the same password will
continue to work.
This behavior is as spec'd for HTTP Authentication, RFC 2617.
So, it is not a security flaw.
> -----Original Message-----
> From: Justin King [mailto:JKing@GFPGROUP.COM]
> Sent: Thursday, August 19, 1999 8:58 AM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: IE and cached passwords
>
>
> In Internet Explorer (v5/nt,v4/nt,v5/win98), when I go to a
> website (say,
> www.company.com), and it requests authorization (via basic
> authentication),
> and I enter it, I am able to browse the rest of the site
> without reentering
> my password on each page. This is fine. However, if I go to
> another website
> on the same machine, but a different port (say,
> www.company.com:81), my
> authentication information is still sent.
>
> This seem to me to be a security flaw with the browser. The
> potential for
> abuse doesn't really seem very high, but I do think it's there.
>
