You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1997/07/24 15:00:50 UTC
Re: [SECURITY] What to do with security bug which I found?
I agree with the comments about MS's handling of password data,
however, I think that in this case, the browser has supplied Apache
with the information, what we do with it is our responsibility.
Handling this case is rather sticky. This may be an issue where we
need to document the fact that these sorts of log files contain
sensitive information and should not be stored with permissions
allowing unauthorized access. The challenge is then left up to the
admin....
> This sort of bug is pretty weel known, where MSIE reveals
> password information which it shouldn't. I suggest posting to bugtraq.
>
>
> > Hi Apache Developers,
> >
> > I don't know who exactly is to blame for this bug: in the referer_log of
> > my apache_1.2.1, I just found a log entry...
> >
> > http://someuser:somepass@somehost/some/request/ -> http://somewhere.else
> >
> > 1) The user who made the access claims he used IE3 via PPP dial up to my
> > server, and <someuser> and <somepass> are his DIALUP LOGIN / PASSWORD!
> > He claims, too, that he never entered either into the browser's "goto
> > URL" field, so IE3 must have added them without him knowing it.
> > Now is that another MS security bug!
> > [[<someuser> is not 100% sure if he used IE3 or NS3, but because NS
> > wouldn't have access to the dialup information, I _guess_ it must have
> > been IE3 because it's much more tightly coupled with the dialup
> > routines]]
> >
> > 2) Apache might want to circumvent this bug by stripping <someuser>:<somepass>@
> > out of the request, as it is done for FTP requests in the proxy module.
> >
> > My question to you: what should I make out of this? Does it go to CERT,
> > or to MS, or to news:comp.infosystems.www.browsers.ms-windows?
> > What's your tip?
> >
> > Martin
> > --
> > | S I E M E N S | <Ma...@mch.sni.de> | Siemens Nixdorf
> > | ------------- | Voice: +49-89-636-46021 | Informationssysteme AG
> > | N I X D O R F | FAX: +49-89-636-44994 | 81730 Munich, Germany
> > ~~~~~~~~~~~~~~~~My opinions only, of course; pgp key available on request
> >
>
>
> --
> Sameer Parekh Voice: 510-986-8770
> President FAX: 510-986-8777
> C2Net
> http://www.c2.net/ sameer@c2.net
Re: [SECURITY] What to do with security bug which I found?
Posted by Lars Eilebrecht <La...@unix-ag.org>.
According to Randy Terbush:
> I agree with the comments about MS's handling of password data,
> however, I think that in this case, the browser has supplied Apache
> with the information, what we do with it is our responsibility.
> Handling this case is rather sticky. This may be an issue where we
> need to document the fact that these sorts of log files contain
> sensitive information and should not be stored with permissions
> allowing unauthorized access. The challenge is then left up to the
> admin....
At least mod_proxy should take care that such bogus requests are
not forwarded, IMHO.
ciao...
--
Lars Eilebrecht
sfx@unix-ag.org