able to access AUTH_PASSWORD from a perl script on IIS server

RESOLVED WORKSFORME

Status

()

RESOLVED WORKSFORME
15 years ago
13 years ago

People

(Reporter: andrew, Unassigned)

Tracking

Trunk
Sun
SunOS
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

15 years ago
User-Agent:       Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.5a) Gecko/20030905
Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.5a) Gecko/20030905

If I use mozilla (and Netscape) to load a perl script from a microsoft IIS web
server (on local password protect intranet) I am able to view my Wondows 2000
password using the environment vailable AUTH_PASSWORD.

This means that I could get all passwords of users who log onto our intranet!

Reproducible: Always

Steps to Reproduce:
c:\> cat env.pl

use CGI qw( :standard );
print( header() );

print( $ENV{ AUTH_PASSWORD } ) ;
print("<br>");
print( $ENV{ AUTH_USER } ) ;
print("<br>");

print( end_html() );




Expected Results:  
I am not sure if it is a bug, but I notice IE and mozilla on windows does not
allow access to AUTH_PASSWORD!

I have tried a few versions of the browser: 
 - IE 5 on Windows Safe
 - Mozilla 1.5b on Windiws Safe
 - Netscape 7.1 on Windows safe

 - Mozilla 1.4 on Solaris NOT SAFE
 - Mozilla 1.5a on Solaris NOT safe
 - Netscape 7.0 on Solaris NOT safe
 - Netscape 7.0 on windows NOT safe
I am confused. As far as I can tell, Mozilla/Netscape is only showing what it is
receiving from the server. Therefore it seems like the problem is on the server
end. I have no idea why things would work differently depending on what platform
the browser was running.

Reporter, do you get the same results running other browsers on other platforms?
Try Lynx etc.

Reassigning to Networking.
Assignee: general → darin
Component: Browser-General → Networking
QA Contact: general → benc
Whiteboard: [sg:needinfo]
Chris: appears to affect older versions (1.4), you might care about this one

Comment 3

14 years ago
Andre:

What kind of authorization do you have turned on in IIS? Are you sure the
browser has not legitimately sent authorization to the server?

What does view source for the returned file say?

This sounds like a server-side problem.

Updated

13 years ago
Summary: able to access AUTH_PASSWORD from a perl script on IIS server → [Mozilla 1.4 and below] able to access AUTH_PASSWORD from a perl script on IIS server

Updated

13 years ago
Whiteboard: [sg:needinfo] → [sg:needinfo] only affects Mozilla 1.4 and below

Comment 4

13 years ago
I'm not sure comment 2 is correct.  Maybe Andrew was trying to say that this bug
only happens on Solaris rather than that it only happens in Mozilla 1.4 and below.

This does sound more like a misconfiguration than a security hole, though.
Andrew, have you figured this out?
Summary: [Mozilla 1.4 and below] able to access AUTH_PASSWORD from a perl script on IIS server → able to access AUTH_PASSWORD from a perl script on IIS server
Whiteboard: [sg:needinfo] only affects Mozilla 1.4 and below → [sg:needinfo]

Updated

13 years ago
Assignee: darin → nobody
QA Contact: benc → networking
Never got enough info to reproduce
Group: security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → WORKSFORME
Whiteboard: [sg:needinfo]
You need to log in before you can comment on or make changes to this bug.