[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <42E89636.2020402@wyrddreams.org>
Date: Thu, 28 Jul 2005 09:24:22 +0100
From: James Tait <james.tait@...ddreams.org>
To: bugtraq@...urityfocus.com
Subject: Re: Getting round website authentication with Firefox
account.throw@...il.com wrote:
> Using firefox's "save target as" feature, you can get round web
> authentication.
>
> Make a password protected directory (with a video file inside) (using
> .htaccess and htpasswd), check that it actully requires a login when you
> click the link to the video normally, then create a hyperlink to the
> file, right click save as - oh snap, it doesn't ask for authentication.
>
> I've only tested it with a video file and Firefox 1.0.6.
Did you restart Firefox after clicking the link the first time? Firefox
will remember the HTTP Basic Authentication credentials after you've entered
them once.
Did you make sure the "Use Password Manager to remember this password" check
box was cleared? Firefox *should* still prompt you for auth, but with the
values pre-filled.
Did you clear your cache? If you've already visited the page, it's possible
that when you click "Save Link As..." Firefox just reads the cached copy.
Are you accessing the protected page through a proxy server? Again, it's
possible the proxy server is serving up a cached response, or re-issuing
your original request to the origin server.
For what it's worth, I tried to reproduce this and couldn't.
JT
--
-------------------------------------+------------------------------------
James Tait, BSc | xmpp:jayteeuk@...ddreams.org
Programmer and Open Source advocate | Mobile: +44 (0)7779 337596
-------------------------------------+------------------------------------
Powered by blists - more mailing lists