Bugtraq mailing list archives
Re: Cleartext Password display in NS Communicator
From: fred () DOTCOM FR (Fred Albrecht)
Date: Wed, 2 Jul 1997 20:32:44 +0200
On Wed, 2 Jul 1997, Holger Kanzog wrote:
On Wed, 2 Jul 1997, Fred Albrecht wrote:The following has been tested with Netscape Communicator 4.0 on NT 4 and 4.0b4 on Linux with the same results :[..]The password is now plainly visible in the URL field : « ftp://user:passwd@host »Appendix to my previous message: It happens only when connecting over proxy Squid (1.1.10) and it appears also in Squid's access.log.
After trying a number of combinations, it seems that it indeed only works when going through the proxy... Squid 1.1.11 here. As for JavaScript and history, the history array is still defined in the JavaScript docs on the Netscape site which led me to believe that one could play with it. There may be limitations on accessing it though. I might be mistaken with this though, I don't use JavaScript a lot and didn't try this at all. If access isn't possible through JavaScript it isn't too bad, although the fact that it's written to the proxy logs is a bit worrying. At any rate, Netscape shouldn't display the password and squid shouldn't log what it can clearly identify as « sensitive » information. Fred. -- ---------------------------------------------------------- DotCom - Communication Numérique http://www.dotcom.fr mailto:info () dotcom fr +33 01 46 67 51 00 "We use only the freshest handpicked electrons" ----------------------------------------------------------
Current thread:
- Cleartext Password display in NS Communicator Fred Albrecht (Jul 02)
- Re: Cleartext Password display in NS Communicator Holger Kanzog (Jul 02)
- Re: Cleartext Password display in NS Communicator Fred Albrecht (Jul 02)
- Re: Cleartext Password display in NS Communicator Oskar Pearson (Jul 03)
- BugTraq Web Archive Aleph One (Jul 02)
- gcc port of IIServerSlayer Andrea Arcangeli (Jul 02)
- Solaris 2.5 syslog startup failure Lauren P. Burka (Jul 02)
- Vulnerability in GlimpseHTTP - more notes Razvan Dragomirescu (Jul 02)
- ircd exploit Aaron Campbell (Jul 02)
- Re: Cleartext Password display in NS Communicator Fred Albrecht (Jul 02)
- Re: Cleartext Password display in NS Communicator Holger Kanzog (Jul 02)