You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Martin Kraemer <Ma...@mch.sni.de> on 1997/07/23 15:53:46 UTC

[SECURITY] What to do with security bug which I found?

Hi Apache Developers,

I don't know who exactly is to blame for this bug: in the referer_log of
my apache_1.2.1, I just found a log entry...

   http://someuser:somepass@somehost/some/request/ -> http://somewhere.else

1) The user who made the access claims he used IE3 via PPP dial up to my
   server, and <someuser> and <somepass> are his DIALUP LOGIN / PASSWORD!
   He claims, too, that he never entered either into the browser's "goto
   URL" field, so IE3 must have added them without him knowing it.
   Now is that another MS security bug!
   [[<someuser> is not 100% sure if he used IE3 or NS3, but because NS
   wouldn't have access to the dialup information, I _guess_ it must have
   been IE3 because it's much more tightly coupled with the dialup
   routines]]

2) Apache might want to circumvent this bug by stripping <someuser>:<somepass>@
   out of the request, as it is done for FTP requests in the proxy module.

My question to you: what should I make out of this? Does it go to CERT,
or to MS, or to news:comp.infosystems.www.browsers.ms-windows?
What's your tip?

    Martin
-- 
| S I E M E N S |  <Ma...@mch.sni.de>  |      Siemens Nixdorf
| ------------- |   Voice: +49-89-636-46021     |  Informationssysteme AG
| N I X D O R F |   FAX:   +49-89-636-44994     |   81730 Munich, Germany
~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request