[23515] in bugtraq
RE: FTP "Network Place" with saved password will reveal cached pa
daemon@ATHENA.MIT.EDU (jones, gerald)
Sat Dec 15 15:48:34 2001
Message-ID: <664039ABAA75D5119A9D00B0D0D033C95E7F7D@srnamath.lss.emc.com>
From: "jones, gerald" <jones_gerald@emc.com>
To: "'Aaron Heck'" <AHeck@ouc.bc.ca>, bugtraq@securityfocus.com
Date: Fri, 14 Dec 2001 16:10:57 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
I just tried this using a Windows 2000 Professional as a client and a
Windows 2000 Server running IIS 5.0. TFor an FTP Network Place, the password
was displayed in the address bar after adding the first "../", whether the
password was saved or not. The ftp (IE) window changed to "This page cannot
be displayed", as expected (not allowed to go above ftp root).
Gerry Jones
-----Original Message-----
From: Aaron Heck [mailto:AHeck@ouc.bc.ca]
Sent: Friday, December 14, 2001 1:46 PM
To: bugtraq@securityfocus.com
Subject: FTP "Network Place" with saved password will reveal cached
password
Summary:
When a "Network Place" has been added to "My Network Places" with a
saved username and password it is possible to get Explorer to display
the password in cleartext format by altering the path in the address
bar.
<snip>
Aaron Heck
Instructional Microcomputer Resource Coordinator
Okanagan University College
aheck@ouc.bc.ca
