W3C home > Mailing lists > Public > www-validator@w3.org > September 2001

Re: www-validator Security Issue (Basic Auth)

From: Gerald Oskoboiny <gerald@w3.org>
Date: Wed, 5 Sep 2001 00:49:47 -0400
To: Samuel Rinnetmäki <samuel.rinnetmaki@tothepoint.fi>
Cc: www-validator@w3.org
Message-ID: <20010905004947.A23145@w3.org>
On Mon, Sep 03, 2001 at 02:08:54PM +0300, Samuel Rinnetmäki wrote:
:
> If I use the Validator to validate a document on a server (A) which
> requires authentication, Validator asks for the credentials. If I then try
> and validate another document on another server (B), my browser sends the
> same credentials to the Validator and the validator forwards them to the
> server (B).  Thus the server B receives the authorization headers that
> were required by a document on the server (A).  The authorization header
> is sent even if the document on the server (B) doesn't require
> authentication.

Thanks for the clear report; we'll try to get this fixed ASAP.

I think this would be fairly difficult for someone to exploit,
for the reason Nick pointed out (the obscurity of server A.)
However, we should certainly get it fixed anyway.

-- 
Gerald Oskoboiny     http://www.w3.org/People/Gerald/
World Wide Web Consortium (W3C)    http://www.w3.org/
tel:+1-613-261-6630             mailto:gerald@w3.org
Received on Wednesday, 5 September 2001 00:50:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 25 April 2012 12:13:59 GMT