Re: IE and cached passwords

From: Paul Leach (Exchange) (paulleat_private)
Date: Mon Aug 30 1999 - 14:16:59 PDT

Next message: Prince Ctrl: "RH 6.0 shadow passwords and locking users bug"

Previous message: Stefan Laudat: "Re: Dynamic DNS"
Maybe in reply to: Justin King: "IE and cached passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: Aleph One [mailto:aleph1at_private]
> Sent: Saturday, August 28, 1999 11:31 AM
>
> On Fri, Aug 27, 1999 at 07:04:53PM -0700, Paul Leach (Exchange) wrote:
> > The server gets to say, in the WWW-Authenticate challenge
> header field, for which "realm" it wants credentials (name+password). If
both
> www.company.com and www.company.com:81 send the same realm, then the same
> password will continue to work.
> >
> > This behavior is as spec'd for HTTP Authentication, RFC 2617.
> >
> > So, it is not a security flaw.
>
> Paul,
>
>   That is false. Quoting RFC2617, Page 3:
<snip>

Indeed. That'll teach me to rely on memory. Even if I was the last person to
modify those words when editing 2617.

I forwarded the bug report to the IE security team.

Paul

Next message: Prince Ctrl: "RH 6.0 shadow passwords and locking users bug"
Previous message: Stefan Laudat: "Re: Dynamic DNS"
Maybe in reply to: Justin King: "IE and cached passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:00:51 PDT