Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Cleartext Password display in NS Communicator
From: oskar () is co za (Oskar Pearson)
Date: Thu, 3 Jul 1997 09:19:24 +0200

Fred Albrecht wrote:


The password is now plainly visible in the URL field :
    « ftp://user:passwd () host »



Appendix to my previous message:
It happens only when connecting over proxy Squid (1.1.10) and it appears
also in Squid's access.log.



After trying a number of combinations, it seems that it indeed only works
when going through the proxy... Squid 1.1.11 here.

Squid 1.NOVM.10 here


At any rate, Netscape shouldn't display the password and squid shouldn't
log what it can clearly identify as « sensitive » information.

Agreed - this is, however, a _setup_ problem with the squid proxy.

You have to change squid.conf so that ftpget_options includes either
the "-a" or "-A" flag (I prefer "-a")
It might be worth putting this in the documentation
or the config file's comments... I will contact people about this.

Our config file contains:
ftpget_options -a -p http://www.is.co.za/tisservices/proxy/ -s .gif -w 25

for the list of possible options run '/usr/local/squid/bin/ftpget -h'

These are the relevant options:
        -a              Do not show password in generated URLs
        -A              Do not show login information in generated URLs

        Oskar

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]