Closed
Bug 218911
Opened 21 years ago
Closed 18 years ago
able to access AUTH_PASSWORD from a perl script on IIS server
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: andrew, Unassigned)
Details
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.5a) Gecko/20030905 Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.5a) Gecko/20030905 If I use mozilla (and Netscape) to load a perl script from a microsoft IIS web server (on local password protect intranet) I am able to view my Wondows 2000 password using the environment vailable AUTH_PASSWORD. This means that I could get all passwords of users who log onto our intranet! Reproducible: Always Steps to Reproduce: c:\> cat env.pl use CGI qw( :standard ); print( header() ); print( $ENV{ AUTH_PASSWORD } ) ; print("<br>"); print( $ENV{ AUTH_USER } ) ; print("<br>"); print( end_html() ); Expected Results: I am not sure if it is a bug, but I notice IE and mozilla on windows does not allow access to AUTH_PASSWORD! I have tried a few versions of the browser: - IE 5 on Windows Safe - Mozilla 1.5b on Windiws Safe - Netscape 7.1 on Windows safe - Mozilla 1.4 on Solaris NOT SAFE - Mozilla 1.5a on Solaris NOT safe - Netscape 7.0 on Solaris NOT safe - Netscape 7.0 on windows NOT safe
I am confused. As far as I can tell, Mozilla/Netscape is only showing what it is receiving from the server. Therefore it seems like the problem is on the server end. I have no idea why things would work differently depending on what platform the browser was running. Reporter, do you get the same results running other browsers on other platforms? Try Lynx etc. Reassigning to Networking.
Assignee: general → darin
Component: Browser-General → Networking
QA Contact: general → benc
Updated•20 years ago
|
Whiteboard: [sg:needinfo]
Comment 2•19 years ago
|
||
Chris: appears to affect older versions (1.4), you might care about this one
Andre: What kind of authorization do you have turned on in IIS? Are you sure the browser has not legitimately sent authorization to the server? What does view source for the returned file say? This sounds like a server-side problem.
Updated•19 years ago
|
Summary: able to access AUTH_PASSWORD from a perl script on IIS server → [Mozilla 1.4 and below] able to access AUTH_PASSWORD from a perl script on IIS server
Updated•19 years ago
|
Whiteboard: [sg:needinfo] → [sg:needinfo] only affects Mozilla 1.4 and below
Comment 4•19 years ago
|
||
I'm not sure comment 2 is correct. Maybe Andrew was trying to say that this bug only happens on Solaris rather than that it only happens in Mozilla 1.4 and below. This does sound more like a misconfiguration than a security hole, though. Andrew, have you figured this out?
Summary: [Mozilla 1.4 and below] able to access AUTH_PASSWORD from a perl script on IIS server → able to access AUTH_PASSWORD from a perl script on IIS server
Whiteboard: [sg:needinfo] only affects Mozilla 1.4 and below → [sg:needinfo]
Updated•18 years ago
|
Assignee: darin → nobody
QA Contact: benc → networking
Comment 5•18 years ago
|
||
Never got enough info to reproduce
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → WORKSFORME
Whiteboard: [sg:needinfo]
You need to log in
before you can comment on or make changes to this bug.
Description
•