Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Cleartext Password display in NS Communicator
From: oskar () is co za (Oskar Pearson)
Date: Thu, 3 Jul 1997 09:19:24 +0200

Fred Albrecht wrote:

The password is now plainly visible in the URL field :
    « ftp://user:passwd () host »

Appendix to my previous message:
It happens only when connecting over proxy Squid (1.1.10) and it appears
also in Squid's access.log.

After trying a number of combinations, it seems that it indeed only works
when going through the proxy... Squid 1.1.11 here.
Squid 1.NOVM.10 here

At any rate, Netscape shouldn't display the password and squid shouldn't
log what it can clearly identify as « sensitive » information.
Agreed - this is, however, a _setup_ problem with the squid proxy.

You have to change squid.conf so that ftpget_options includes either
the "-a" or "-A" flag (I prefer "-a")
It might be worth putting this in the documentation
or the config file's comments... I will contact people about this.

Our config file contains:
ftpget_options -a -p http://www.is.co.za/tisservices/proxy/ -s .gif -w 25

for the list of possible options run '/usr/local/squid/bin/ftpget -h'

These are the relevant options:
        -a              Do not show password in generated URLs
        -A              Do not show login information in generated URLs


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]