Fog Creek Software
Discussion Board




Speaking of Passwords

Is this a known problem?

I am using windows 2000.

I open windows explorer and choose map and ftp site. (I have an account a univeristy).

I navigate to one of the folders and inside this folder I have an html document.

I open this document.

An Internet Explorer window opens with the path being:
ftp://charley@turing.une.edu.au/public_html/atomicQuiz.html

But, the title of the Internet Explorer window is as follows:
ftp://charley:abcdefg@turing.une.edu.au/public_html/atomicQuiz.html

where ‘abcdefg’ is my actual password! Right up there in lights.

What is with this?

Aussie Chick
Friday, November 14, 2003

ftp has that shortcut to allow you to specify the password and user in the ftp address. It's probably not the best idea to display it in plain sight like that though, and would certainly be a bad thing for it to get cached in the history list.

anon
Friday, November 14, 2003

At a presentation the speaker demonstrated how you could access some files just by clicking on a hyperlink.

The files were placed on their main customers ftp server and "behind" the hyperlink you could see both username and password in plain text.

I pointed this out after the presentation and showed how easy I could read and write(!) on the server. No one else noticed and they changed their presentation material after that.

Glenn. B. Hansen
Friday, November 14, 2003

The crazy cats on the Bugtraq mailing list discovered this back in 2001:
http://cert.uni-stuttgart.de/archive/bugtraq/2001/12/msg00151.html

I thought it might have been fixed by now...

Glenn Kentwell
Friday, November 14, 2003

Also, if you print that page while looking at it, it prints your username and password on the printout as well...

Andrew Hurst
Friday, November 14, 2003

It's a bug. They haven't fixed it yet.

ftp://username:password@domain.ext

should never be cached...

Li-fan Chen
Friday, November 14, 2003

I am using IE 6 and have tried all sorts of ways to reproduce it and can't.  Maybe they hardcoded the password in the links???

DJ
Friday, November 14, 2003

No problem here using XP SP1.  I'm pretty sure I remember this being fixed a while ago.  Are you running IE 6 with all the patches?

SomeBody
Friday, November 14, 2003

*  Recent Topics

*  Fog Creek Home