Re: Winamp SHOUTcast server: Gain Administrator Password

From: Philip Stoev (philipat_private)
Date: Mon Aug 23 1999 - 08:48:31 PDT

Next message: Kurt Wall: "Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"

Previous message: Micheal Patterson: "Re: IE 5.0 allows executing programs"
Maybe in reply to: Michael: "Winamp SHOUTcast server: Gain Administrator Password"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> The password is also LOGGED when the web based administration tool is
> used. It can be obtained by simply grep'ing the logfile output. The
> offending line is here:
> <08/20/99@06:11:41> [http:1 my.computer.com]
REQ:"/admin.cgi?pass=joltcola&mode=viewlog" (Mozilla/4.0 (compatible; MSIE
5.0; Windows 98))

It seems that many people still do not get the idea that POST should be
used instead of GET in any situation where authentication takes place via
an HTML page. The GET arguments can show up not only in a web server log,
but in the log of a proxy server standing between the web server and the
person trying to authenticate.


Philip

Next message: Kurt Wall: "Re: [RHSA-1999:028-01] Buffer overflow in libtermcap tgetent()"
Previous message: Micheal Patterson: "Re: IE 5.0 allows executing programs"
Maybe in reply to: Michael: "Winamp SHOUTcast server: Gain Administrator Password"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:58:00 PDT