W3C home > Mailing lists > Public > www-validator@w3.org > September 2001

Re: www-validator Security Issue (Basic Auth)

From: Gerald Oskoboiny <gerald@w3.org>
Date: Wed, 5 Sep 2001 00:49:47 -0400
To: Samuel Rinnetmäki <samuel.rinnetmaki@tothepoint.fi>
Cc: www-validator@w3.org
Message-ID: <20010905004947.A23145@w3.org>
On Mon, Sep 03, 2001 at 02:08:54PM +0300, Samuel Rinnetmäki wrote:
> If I use the Validator to validate a document on a server (A) which
> requires authentication, Validator asks for the credentials. If I then try
> and validate another document on another server (B), my browser sends the
> same credentials to the Validator and the validator forwards them to the
> server (B).  Thus the server B receives the authorization headers that
> were required by a document on the server (A).  The authorization header
> is sent even if the document on the server (B) doesn't require
> authentication.

Thanks for the clear report; we'll try to get this fixed ASAP.

I think this would be fairly difficult for someone to exploit,
for the reason Nick pointed out (the obscurity of server A.)
However, we should certainly get it fixed anyway.

Gerald Oskoboiny     http://www.w3.org/People/Gerald/
World Wide Web Consortium (W3C)    http://www.w3.org/
tel:+1-613-261-6630             mailto:gerald@w3.org
Received on Wednesday, 5 September 2001 00:50:19 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 November 2015 11:01:14 UTC