[4849] in bugtraq
Re: Cleartext Password display in NS Communicator
daemon@ATHENA.MIT.EDU (Oskar Pearson)
Thu Jul 3 10:28:30 1997
Date: Thu, 3 Jul 1997 09:19:24 +0200
Reply-To: oskar@is.co.za
From: Oskar Pearson <oskar@IS.CO.ZA>
X-To: fred@DOTCOM.FR
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.95.970702200947.14848C-100000@homefree.dotcom.fr>
from "Fred Albrecht" at Jul 2, 97 08:32:44 pm
Fred Albrecht wrote:
> > > The password is now plainly visible in the URL field :
> > > =AB ftp://user:passwd@host =BB
> > Appendix to my previous message:
> > It happens only when connecting over proxy Squid (1.1.10) and it ap=
pears
> > also in Squid's access.log.
> After trying a number of combinations, it seems that it indeed only w=
orks
> when going through the proxy... Squid 1.1.11 here.
Squid 1.NOVM.10 here
> At any rate, Netscape shouldn't display the password and squid should=
n't
> log what it can clearly identify as =AB sensitive =BB information.
Agreed - this is, however, a _setup_ problem with the squid proxy.
You have to change squid.conf so that ftpget_options includes either
the "-a" or "-A" flag (I prefer "-a")
It might be worth putting this in the documentation
or the config file's comments... I will contact people about this.
Our config file contains:
ftpget_options -a -p http://www.is.co.za/tisservices/proxy/ -s .gif -w =
25
for the list of possible options run '/usr/local/squid/bin/ftpget -h'
These are the relevant options:
-a Do not show password in generated URLs
-A Do not show login information in generated URLs
Oskar
