User: Password:
|
|
Subscribe / Log in / New account

Cryptographic splicing makes for a Wordpress vulnerability

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 8, 2008 16:23 UTC (Thu) by bronson (subscriber, #4806)
In reply to: Cryptographic splicing makes for a Wordpress vulnerability by epa
Parent article: Cryptographic splicing makes for a Wordpress vulnerability

And add the ability to log out!  What did the HTTP devs think, that nobody ever wanted to
share a computer?


(Log in to post comments)

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 8, 2008 18:52 UTC (Thu) by martinfick (subscriber, #4455) [Link]

That would probably be a browser implementation issue wouldn't it?  File a bug against your
browser if it does not allow this.

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 8, 2008 19:36 UTC (Thu) by bronson (subscriber, #4806) [Link]

Can you name a browser implementation that does work?

Many bugs have been filed, and there's endless discussion only a google search away, but
there's been zero forward progress.

Opened 2004: https://bugzilla.mozilla.org/show_bug.cgi?id=260186
Opened 2001: https://bugzilla.mozilla.org/show_bug.cgi?id=68409

Since it's broken, nobody uses it, and nobody's interested in fixing it, I suppose HTTP Auth
should just be deprecated.  Cookie-based auth is awful, but it does work and people do use it.

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 8, 2008 21:18 UTC (Thu) by martinfick (subscriber, #4455) [Link]

Can you name a browser implementation that does work?

Yes, konqueror. It stores this info in the kde wallet system, the wallet system will allow you to remove entries from it.

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 9, 2008 3:01 UTC (Fri) by bronson (subscriber, #4806) [Link]

That just forgets your password, right?  It doesn't actually allow you to log out.

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 9, 2008 4:19 UTC (Fri) by evanp (subscriber, #50543) [Link]

Subsequent HTTP requests cause your browser to prompt you to login, so yes, you are indeed
"logged out" in that sense. The server isn't notified, though, which might be what you were
asking about.

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 8, 2008 21:35 UTC (Thu) by martinfick (subscriber, #4455) [Link]

Also, with mozilla you can simply insert a new username@ after the ":" of your protocol like
this "http://bogus@site.com" and it will then proceed to prompt you for a username & password.
Now you can enter your original username and a bogus password which it will now remember.
Yes, this is a hack, but it will do what you want.  There may be a better method, but that is
what I came up with quickly.  I was surprised that it was not stored under the password tab in
the options menus.

Cryptographic splicing makes for a Wordpress vulnerability

Posted May 15, 2008 11:13 UTC (Thu) by endecotp (guest, #36428) [Link]

> Can you name a browser implementation that does work?

I believe that the old "Mozilla Suite" added an HTTP Auth logout button just-too-late for it
to end up in firefox.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds