Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: IE and cached passwords
From: paulle () EXCHANGE MICROSOFT COM (Exchange)
Date: Mon, 30 Aug 1999 14:16:59 -0700


-----Original Message-----
From: Aleph One [mailto:aleph1 () underground org]
Sent: Saturday, August 28, 1999 11:31 AM

On Fri, Aug 27, 1999 at 07:04:53PM -0700, Paul Leach (Exchange) wrote:

The server gets to say, in the WWW-Authenticate challenge

header field, for which "realm" it wants credentials (name+password). If

both

www.company.com and www.company.com:81 send the same realm, then the same
password will continue to work.


This behavior is as spec'd for HTTP Authentication, RFC 2617.

So, it is not a security flaw.


Paul,

  That is false. Quoting RFC2617, Page 3:

<snip>

Indeed. That'll teach me to rely on memory. Even if I was the last person to
modify those words when editing 2617.

I forwarded the bug report to the IE security team.

Paul

  By Date           By Thread  

Current thread:
  • Re: IE and cached passwords Exchange (Aug 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]