Reporter Packet Storm
`Date: Wed, 12 Aug 1998 19:26:27 +0800
From: VINCENT LOK <vincentl@VOL.NET>
Subject: obtain domain users password via asp server variable
Just noticed that with basic authentication on IIS, one can obtain
password of users accessing the ASP page via the server variable
The line <%= Request.ServerVariables("AUTH_PASSWORD") %>
in an asp file will do the trick.
With this, web page authors/content providers (probably not the
same person who administers the web server and NT domain) can easily
trap password of other domain users.
Basic authentication is never secure as it is possible to capture
password by sniffing and decoding the authentication packets, but this
would require accessibility to the network and some (though not much)
It is just too easy for someone to trap passwords simply using a few
lines of ASP code. Can this be considered as a SEB?
Date: Wed, 12 Aug 1998 10:04:56 -0400
From: Russ <Russ.Cooper@RC.ON.CA>
Subject: Re: obtain domain users password via asp server variable
>It is just too easy for someone to trap passwords simply using a
>few lines of ASP code. Can this be considered as a SEB?
This isn't a SEB, but its worth knowing. A Basic Authentication IIS site
is going to prompt the user for a userID and password. If they're
operating in a normal NT site, this is going to be an abnormal prompt
(they don't get prompted for sites that use NTLM, or anything else that
uses the NT Challenge/Response mechanism). As such, it should trigger a
reaction "Why am I being asked for a password?".
Luckily we made a stink during the IIS betas over the lack of any dialog
when enabling Basic Authentication for IIS. Now we have nice lengthy and
informative dialogs that explain the risks of doing this. Anyone who
accepts Basic Authentication after reading that dialog should already be
aware of the risks of doing so.
If the alternative is to store the password in a cookie, I'd say that
this is just as insecure as being able to retrieve it from a server
variable (if not identical).