[Zope] browser security
Brian Lloyd
Brian@digicool.com
Tue, 4 Jan 2000 14:08:55 -0500
> Hi everyone,
>
> Here's a quick security question. I'm using ZServer w/ Apache.
>
> Someone pointed out to me today that it's possible to access
> a site like
> this:
>
> http://username:password@mysite.com/
>
> and the user is logged in automatically. Apparently there are cracking
> tools available that will attempt to guess passwords using this method
> thereby gaining access to the system.
>
> Is there any easy fix for this?
I don't believe that the username:password part of the url
ever actually go out on the wire - my understanding of this
is that IE (or other browsers that support this construct)
just accept this as a convenient shorthand and that they
remove the username/pw and send it in a header as usual...
As far as cracking tools, I can't imagine how this would
have any impact one way or the other - it's really just
a client convenience.
Hope this helps!
Brian Lloyd brian@digicool.com
Software Engineer 540.371.6909
Digital Creations http://www.digicool.com