Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

asp-server-var.passwds.txt

๐Ÿ—“๏ธย 17 Aug 1999ย 00:00:00Reported byย Packet StormTypeย 
packetstorm
ย packetstorm๐Ÿ”—ย packetstormsecurity.com๐Ÿ‘ย 41ย Views

Exploiting ASP server for capturing user passwords via basic authentication risks and vulnerabilities.

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`Date: Wed, 12 Aug 1998 19:26:27 +0800  
From: VINCENT LOK <[email protected]>  
Subject: obtain domain users password via asp server variable  
  
Dear all,  
  
Just noticed that with basic authentication on IIS, one can obtain  
password of users accessing the ASP page via the server variable  
AUTH_PASSWORD.  
  
The line <%= Request.ServerVariables("AUTH_PASSWORD") %>  
in an asp file will do the trick.  
  
With this, web page authors/content providers (probably not the  
same person who administers the web server and NT domain) can easily  
trap password of other domain users.  
  
Basic authentication is never secure as it is possible to capture  
password by sniffing and decoding the authentication packets, but this  
would require accessibility to the network and some (though not much)  
technical expertise.  
  
It is just too easy for someone to trap passwords simply using a few  
lines of ASP code. Can this be considered as a SEB?  
  
Regards,  
Vincent Lok  
  
  
----------------------------  
  
Date: Wed, 12 Aug 1998 10:04:56 -0400  
From: Russ <[email protected]>  
Subject: Re: obtain domain users password via asp server variable  
  
Vincent said...  
>It is just too easy for someone to trap passwords simply using a  
>few lines of ASP code. Can this be considered as a SEB?  
  
This isn't a SEB, but its worth knowing. A Basic Authentication IIS site  
is going to prompt the user for a userID and password. If they're  
operating in a normal NT site, this is going to be an abnormal prompt  
(they don't get prompted for sites that use NTLM, or anything else that  
uses the NT Challenge/Response mechanism). As such, it should trigger a  
reaction "Why am I being asked for a password?".  
  
Luckily we made a stink during the IIS betas over the lack of any dialog  
when enabling Basic Authentication for IIS. Now we have nice lengthy and  
informative dialogs that explain the risks of doing this. Anyone who  
accepts Basic Authentication after reading that dialog should already be  
aware of the risks of doing so.  
  
If the alternative is to store the password in a cookie, I'd say that  
this is just as insecure as being able to retrieve it from a server  
variable (if not identical).  
  
Cheers,  
Russ  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contactย us for a demo andย discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
17 Aug 1999 00:00Current
7.4High risk
Vulners AI Score7.4
password retrievalasp server variablebasic authenticationiis vulnerabilitiesdomain users.
41
.json
Report