Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

Bookmark URL's that contain authentication arguements

From: ICoS () operamail com (ICoS)
Date: Sun, 19 Dec 1999 15:30:49 -0500


I am really in need of some expert advice. I dont know if this is the correct 
place for this particular question but perhaps someone would be kind enough to 
direct me to a more appropriate list if it isnt.

I have just installed a web interface for a mailing list software program. 
There is an authentication screen (userid/passwd) for initial log in before 
getting further in. I set up the administrator passwd and went to some of the 
list configuration pages where I can execute commands and manipulate headers. 
Out of habit more than anything I bookmarked these pages.

When I use these bookmarks I can get straight at the configuration pages, the 
url contains the userid in plain text and the password in encrypted form. 
Trouble is these seem to be passed to the cgi script and it authenticates me 
with them and gives me a supposedly 10 minute ticket to do what I want in 
there.

I asked the software providers about this and was told that I was bookmarking 
pages I shouldnt bookmark.

To me this seems to be insecure and almost buggy.

Am I wrong?

ICoS

------------------------------------------------------------
This e-mail has been sent to  you courtesy of OperaMail,  as a  free  service  from
Opera  Software,  makers  of the award-winning Web Browser, Opera. Visit us at
http://www.opera.com/ or our portal at: http://www.myopera.com/ Your free e-mail 
account is waiting at: http://www.operamail.com/
------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: