[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Re: IE and cached passwords
From: "Paul Leach (Exchange)" <paulle () EXCHANGE ! MICROSOFT ! COM>
Date: 1999-08-30 21:16:59
[Download RAW message or body]
> -----Original Message-----
> From: Aleph One [mailto:aleph1@underground.org]
> Sent: Saturday, August 28, 1999 11:31 AM
>
> On Fri, Aug 27, 1999 at 07:04:53PM -0700, Paul Leach (Exchange) wrote:
> > The server gets to say, in the WWW-Authenticate challenge
> header field, for which "realm" it wants credentials (name+password). If
both
> www.company.com and www.company.com:81 send the same realm, then the same
> password will continue to work.
> >
> > This behavior is as spec'd for HTTP Authentication, RFC 2617.
> >
> > So, it is not a security flaw.
>
> Paul,
>
> That is false. Quoting RFC2617, Page 3:
<snip>
Indeed. That'll teach me to rely on memory. Even if I was the last person to
modify those words when editing 2617.
I forwarded the bug report to the IE security team.
Paul
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic