Closed Bug 218911 Opened 21 years ago Closed 18 years ago

able to access AUTH_PASSWORD from a perl script on IIS server

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
Sun
SunOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: andrew, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.5a) Gecko/20030905
Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.5a) Gecko/20030905

If I use mozilla (and Netscape) to load a perl script from a microsoft IIS web
server (on local password protect intranet) I am able to view my Wondows 2000
password using the environment vailable AUTH_PASSWORD.

This means that I could get all passwords of users who log onto our intranet!

Reproducible: Always

Steps to Reproduce:
c:\> cat env.pl

use CGI qw( :standard );
print( header() );

print( $ENV{ AUTH_PASSWORD } ) ;
print("<br>");
print( $ENV{ AUTH_USER } ) ;
print("<br>");

print( end_html() );




Expected Results:  
I am not sure if it is a bug, but I notice IE and mozilla on windows does not
allow access to AUTH_PASSWORD!

I have tried a few versions of the browser: 
 - IE 5 on Windows Safe
 - Mozilla 1.5b on Windiws Safe
 - Netscape 7.1 on Windows safe

 - Mozilla 1.4 on Solaris NOT SAFE
 - Mozilla 1.5a on Solaris NOT safe
 - Netscape 7.0 on Solaris NOT safe
 - Netscape 7.0 on windows NOT safe
I am confused. As far as I can tell, Mozilla/Netscape is only showing what it is
receiving from the server. Therefore it seems like the problem is on the server
end. I have no idea why things would work differently depending on what platform
the browser was running.

Reporter, do you get the same results running other browsers on other platforms?
Try Lynx etc.

Reassigning to Networking.
Assignee: general → darin
Component: Browser-General → Networking
QA Contact: general → benc
Whiteboard: [sg:needinfo]
Chris: appears to affect older versions (1.4), you might care about this one
Andre:

What kind of authorization do you have turned on in IIS? Are you sure the
browser has not legitimately sent authorization to the server?

What does view source for the returned file say?

This sounds like a server-side problem.
Summary: able to access AUTH_PASSWORD from a perl script on IIS server → [Mozilla 1.4 and below] able to access AUTH_PASSWORD from a perl script on IIS server
Whiteboard: [sg:needinfo] → [sg:needinfo] only affects Mozilla 1.4 and below
I'm not sure comment 2 is correct.  Maybe Andrew was trying to say that this bug
only happens on Solaris rather than that it only happens in Mozilla 1.4 and below.

This does sound more like a misconfiguration than a security hole, though.
Andrew, have you figured this out?
Summary: [Mozilla 1.4 and below] able to access AUTH_PASSWORD from a perl script on IIS server → able to access AUTH_PASSWORD from a perl script on IIS server
Whiteboard: [sg:needinfo] only affects Mozilla 1.4 and below → [sg:needinfo]
Assignee: darin → nobody
QA Contact: benc → networking
Never got enough info to reproduce
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
Whiteboard: [sg:needinfo]
You need to log in before you can comment on or make changes to this bug.