Sorry guys. I just tested this on Windows 2000 through "My Network Places" - same result. Also tested it on Win98 just through Internet Explorer (since W2K/XP just use IE for network places) with the same result. Interestingly enough, though, if you punch in the whole address complete with the dual ../../ at the end, it doesn't show the password. It only occurs if you actually enter the ../ once, press enter, add it again, and press enter again. Thanks! Aaron -----Original Message----- From: Aaron Heck Sent: Friday, December 14, 2001 10:46 AM To: 'bugtraqat_private' Subject: FTP "Network Place" with saved password will reveal cached password Summary: When a "Network Place" has been added to "My Network Places" with a saved username and password it is possible to get Explorer to display the password in cleartext format by altering the path in the address bar. Details: Client Computer: Windows XP Professional (v5.1.2600) Server Computer: FreeBSD v4.3/4.4 (appears to be server independant but only tested on FreeBSD servers) I have not tested this in 2000 but I suspect it will behave in a similar fashion. Methodology example: FreeBSD server ftp.someplace.com Home directory is /usr/home/someuser Login name is someuser Password is somepass Double click on My Network Places. Double Click on Add Network Place Provide the internet address of ftp://ftp.someplace.com Provide, when prompted, the username of someuser by deselecting anonymous login. Windows will inform you that you will be prompted for a password. You can select to "open this network place when I click Finish" (although it doesn't make a difference if you open the network place from this dialog or later from the "My Network Places" window. When prompted, provide your password. Click the checkbox that says "remember my password". You'll now be logged in and your address bar should read something like: someuserat_private/">ftp://someuserat_private/ Note there is no password. Click on the address bar and add, to the end of the address, ../ Your address bar will change again but will not reveal the password. someuserat_private/../">ftp://someuserat_private/../ Click on the address bar yet again and add, to the end of the address, another ../ The title bar will now appear like this: somepassat_private/usr/home/someuser/../../">ftp://someuser:somepassat_private/usr/home/someuser/../../ When I did this, the directory listing correctly points to the root directory of my FreeBSD server but the address bar reveals my password in plaintext format. I'm not sure if this is by design but I suspect not. By the way, this behaviour occurs whether you tell windows to remember your password or not. I didn't think it was a problem for sessions where you're not telling it to remember your password since you'd have to be there to enter your password to get into the session anyways. But for network places with a saved password I think this is a potential security hole because people at the machine or with access to the machine could go into your saved network place and get it to regurgitate your password. Anyways, I couldn't find a place on MS's web site to report this flaw (if it is a flaw) so this is the only address I'm sending this to. Thanks! Aaron Heck Instructional Microcomputer Resource Coordinator Okanagan University College aheckat_private
This archive was generated by hypermail 2b30 : Fri Dec 14 2001 - 14:09:08 PST