Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: IE 5.0 vulnerability

Re: IE 5.0 vulnerability

From: David Schwartz <davids_at_WEBMASTER.COM>
Date: Sun, 24 Oct 1999 10:51:28 -0700

    This has nothing to do with cookies. It's autocompletion. The two
technologies are entirely unrelated.

        DS

-----Original Message-----
From: VULN-DEV List [mailto:VULN-DEV_at_SECURITYFOCUS.COM]On Behalf Of Josh
Burns
Sent: Friday, October 22, 1999 2:20 PM
To: VULN-DEV_at_SECURITYFOCUS.COM
Subject: IE 5.0 vulnerability

I'm not sure if this has been announced yet, but here goes.. I am not sure
if this is an IE 5 problem, or not, but when you have cookies enabled
(default setting), and you use a service like AOLMail, Hotmail, or anything
that requires a name and password, it is stored in a cookie for later use.
If the user closes IE, and then reopens it, and goes to the same page, and
type in the first letter of their login name, a drop-down box will come up,
with their user name in it, and you can click it. Then, if the user clicks
on the password field, it automatically fills in their password. I'm not
sure what the cookie for this looks like, if the stored password is
encrypted, or not, because I didn't have time to test. This can most likely
be fixed by going to Internet Options, and turning off cookies from all
hosts. Please give me some feedback on this.

Josh Burns
Received on Oct 24 1999

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos