[11636] in bugtraq
Re: IE and cached passwords
daemon@ATHENA.MIT.EDU (Paul Leach (Exchange))
Wed Sep 1 18:16:48 1999
Mime-Version: 1.0
Content-Type: text/plain
Message-Id: <19398D273324D3118A2B0008C7E9A56902FFFB22@SIT.platinum.corp.microsoft.com>
Date: Mon, 30 Aug 1999 14:16:59 -0700
Reply-To: "Paul Leach (Exchange)" <paulle@EXCHANGE.MICROSOFT.COM>
From: "Paul Leach (Exchange)" <paulle@EXCHANGE.MICROSOFT.COM>
X-To: Aleph One <aleph1@underground.org>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> -----Original Message-----
> From: Aleph One [mailto:aleph1@underground.org]
> Sent: Saturday, August 28, 1999 11:31 AM
>
> On Fri, Aug 27, 1999 at 07:04:53PM -0700, Paul Leach (Exchange) wrote:
> > The server gets to say, in the WWW-Authenticate challenge
> header field, for which "realm" it wants credentials (name+password). If
both
> www.company.com and www.company.com:81 send the same realm, then the same
> password will continue to work.
> >
> > This behavior is as spec'd for HTTP Authentication, RFC 2617.
> >
> > So, it is not a security flaw.
>
> Paul,
>
> That is false. Quoting RFC2617, Page 3:
<snip>
Indeed. That'll teach me to rely on memory. Even if I was the last person to
modify those words when editing 2617.
I forwarded the bug report to the IE security team.
Paul
