lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 28 Jul 2005 01:55:10 +0200
From: Christopher Kunz <christopher.kunz@...dened-php.net>
To: bugtraq@...urityfocus.com
Subject: Re: Getting round website authentication with Firefox


account.throw@...il.com wrote:
> Using firefox's "save target as" feature, you can get round web authentication.
> 
> Make a password protected directory (with a video file inside) (using .htaccess and htpasswd), check that it actully requires a login when you click the link to the video normally, then create a hyperlink to the file, right click save as - oh snap, it doesn't ask for authentication.
> 
> I've only tested it with a video file and Firefox 1.0.6.

Nope. This cannot work, you probably messed up your basic auth settings in 
Apache. If you perform a HEAD /protected/video.avi, you will already see the 401 
header - and there is no way to bypass that with a client.

For the sake of the argument, I actually tried it out - and it doesn't work (of 
course).

I'd suspect that you a) didn't configure the basic auth properly or b) have run 
into the infamous basic auth caching issue (a.k.a. "we can't log out users with 
basic auth").

--ck

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ