Bugtraq mailing list archives
Re: IE and cached passwords
From: paulle () EXCHANGE MICROSOFT COM (Exchange)
Date: Mon, 30 Aug 1999 14:16:59 -0700
-----Original Message----- From: Aleph One [mailto:aleph1 () underground org] Sent: Saturday, August 28, 1999 11:31 AM On Fri, Aug 27, 1999 at 07:04:53PM -0700, Paul Leach (Exchange) wrote:The server gets to say, in the WWW-Authenticate challengeheader field, for which "realm" it wants credentials (name+password). If
both
www.company.com and www.company.com:81 send the same realm, then the same password will continue to work.This behavior is as spec'd for HTTP Authentication, RFC 2617. So, it is not a security flaw.Paul, That is false. Quoting RFC2617, Page 3:
<snip> Indeed. That'll teach me to rely on memory. Even if I was the last person to modify those words when editing 2617. I forwarded the bug report to the IE security team. Paul
Current thread:
- Re: IE and cached passwords Exchange (Aug 30)