[4840] in bugtraq
Re: Cleartext Password display in NS Communicator
daemon@ATHENA.MIT.EDU (Fred Albrecht)
Wed Jul 2 15:16:29 1997
Date: Wed, 2 Jul 1997 20:32:44 +0200
Reply-To: Fred Albrecht <fred@DOTCOM.FR>
From: Fred Albrecht <fred@DOTCOM.FR>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.970702195253.19075F-100000@host.tlnet.de>
On Wed, 2 Jul 1997, Holger Kanzog wrote:
> On Wed, 2 Jul 1997, Fred Albrecht wrote:
>
> > The following has been tested with Netscape Communicator 4.0 on NT =
4 and
> > 4.0b4 on Linux with the same results :
>
> [..]
>
> > The password is now plainly visible in the URL field :
> > =AB ftp://user:passwd@host =BB
>
> Appendix to my previous message:
>
> It happens only when connecting over proxy Squid (1.1.10) and it appe=
ars
> also in Squid's access.log.
After trying a number of combinations, it seems that it indeed only wor=
ks
when going through the proxy... Squid 1.1.11 here.
As for JavaScript and history, the history array is still defined in th=
e
JavaScript docs on the Netscape site which led me to believe that one
could play with it. There may be limitations on accessing it though. =
I
might be mistaken with this though, I don't use JavaScript a lot and
didn't try this at all.
If access isn't possible through JavaScript it isn't too bad, although =
the
fact that it's written to the proxy logs is a bit worrying.
At any rate, Netscape shouldn't display the password and squid shouldn'=
t
log what it can clearly identify as =AB sensitive =BB information.
Fred.
-- ----------------------------------------------------------
DotCom - Communication Num=E9rique
http://www.dotcom.fr mailto:info@dotcom.fr +33 01 46 67 51 00
"We use only the freshest handpicked electrons"
----------------------------------------------------------
