Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Cleartext Password display in NS Communicator
From: fred () DOTCOM FR (Fred Albrecht)
Date: Wed, 2 Jul 1997 20:32:44 +0200

On Wed, 2 Jul 1997, Holger Kanzog wrote:

On Wed, 2 Jul 1997, Fred Albrecht wrote:

The following has been tested with Netscape Communicator 4.0 on NT 4 and
4.0b4 on Linux with the same results :


The password is now plainly visible in the URL field :
    « ftp://user:passwd () host »

Appendix to my previous message:

It happens only when connecting over proxy Squid (1.1.10) and it appears
also in Squid's access.log.

After trying a number of combinations, it seems that it indeed only works
when going through the proxy... Squid 1.1.11 here.

As for JavaScript and history, the history array is still defined in the
JavaScript docs on the Netscape site which led me to believe that one
could play with it.  There may be limitations on accessing it though.  I
might be mistaken with this though, I don't use JavaScript a lot and
didn't try this at all.

If access isn't possible through JavaScript it isn't too bad, although the
fact that it's written to the proxy logs is a bit worrying.

At any rate, Netscape shouldn't display the password and squid shouldn't
log what it can clearly identify as « sensitive » information.

--    ----------------------------------------------------------
                   DotCom - Communication Numérique
    http://www.dotcom.fr mailto:info () dotcom fr  +33 01 46 67 51 00
           "We use only the freshest handpicked electrons"

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]