| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 27 Jul 2005 16:58:49 -0700 From: Nate Smith <nate@...backrow.net> To: account.throw@...il.com Cc: bugtraq@...urityfocus.com Subject: Re: Getting round website authentication with Firefox On Sun, Jul 24, 2005 at 11:52:11PM -0000, account.throw@...il.com wrote: > Using firefox's "save target as" feature, you can get round web authentication. > > Make a password protected directory (with a video file inside) (using .htaccess and htpasswd), check that it actully requires a login when you click the link to the video normally, then create a hyperlink to the file, right click save as - oh snap, it doesn't ask for authentication. > > I've only tested it with a video file and Firefox 1.0.6. If this got around authenticating, it would be the fault of the server, not the browser. The browser is only sending a 'request' for a document. If firefox fails to ask for credentials in any authentication scheme, it is the fault of firefox, and should be reported to their bug tracking system. Check their support forums first to see if it's known: http://forums.mozillazine.org/ I tried it with firefox 1.0.6 and it didn't ask for credentials, but it didn't give me the FILE, either :) If it has cached your authentication response from a previous request, then yes, it will let you have the file. But that won't work for someone who genuinely doesn't know the username/password. -Nate
Powered by blists - more mailing lists