[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: IE and cached passwords
From:       "Paul Leach (Exchange)" <paulle () EXCHANGE ! MICROSOFT ! COM>
Date:       1999-08-30 21:16:59
[Download RAW message or body]

> -----Original Message-----
> From: Aleph One [mailto:aleph1@underground.org]
> Sent: Saturday, August 28, 1999 11:31 AM
>
> On Fri, Aug 27, 1999 at 07:04:53PM -0700, Paul Leach (Exchange) wrote:
> > The server gets to say, in the WWW-Authenticate challenge
> header field, for which "realm" it wants credentials (name+password). If
both
> www.company.com and www.company.com:81 send the same realm, then the same
> password will continue to work.
> >
> > This behavior is as spec'd for HTTP Authentication, RFC 2617.
> >
> > So, it is not a security flaw.
>
> Paul,
>
>   That is false. Quoting RFC2617, Page 3:
<snip>

Indeed. That'll teach me to rely on memory. Even if I was the last person to
modify those words when editing 2617.

I forwarded the bug report to the IE security team.

Paul

[prev in list] [next in list] [prev in thread] [next in thread]