Results 1 to 9 of 9

Thread: Clear text passwords

  1. #1

    Clear text passwords

    W2K server , SP3, IIS5, Citrix Nfuse1.7
    I've noticed in the IIS logs that a week ago it started logging connections from users showing passwords in clear text, like this:

    2003-11-27 16:31:43 10.102.16.43 - 10.0.20.46 80 GET /Citrix/Nfuse17/CMS/redirect.asp user=edufour&password=Nor#lleVie2 200
    Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0;+Q312461 )

    I've also noticed that when connection is done through POST method password is not disclosed at all......

    Any ideas as to why passwords started appearing in the log in clear text would be much appreciated.
    Also...what's the difference in authenticating through POST and through GET.....

    Thanks.

  2. #2

    Re:Clear text passwords

    If you are running NFuse for your company, you should really consider acquiring an SSL ticket from a provider like Verisign and only accepting connections to your NFuse box via SSL.

  3. #3

    Re:Clear text passwords

    Should I interpret your answer as 'NFuse will always log clear text passwords to IIS logs" (unles there is some ticketing in place?)
    Thanks.

  4. #4

    Re:Clear text passwords

    I don't know that this will stop the passwords being logged. I do know that no passwords show up in my IIS logs and I am using NFuse Classic with an SSL acquired from Verisign. Keep in mind that Citrix ticketing does not perform session encryption. It only helps alleviate session hijacking, or someone stealing the ica cookie from the user's browser to present to the Citrix ICA serivce in an attempt to gain unauthorized access. Acutal session-level encryption must be acheived by means other than ticketing for both NFuse to XML service encryption, and for client to server encryption. If you have an extra box around, setting up the Citrix Secure Gateway with NFuse 1.7 is not a bad idea (if you have not already done so).

  5. #5

    Re:Clear text passwords

    I guess thats just the way IIS does it's logging for variable handling. IT shows them all in a GET like way. I strongly advise you to use an Apache version for windows with SSL rather than using IIS. The company I work for moved a few months back and we've had less problems and an easier time maintaining the security and stability of our web server (and our data is super, super sensitive).

  6. #6

    Re:Clear text passwords

    The problem is simply that that is a GET request. Post works by going to url foo and sending the variables to it after requesting foo. GET works by requesting foo?variable=a&variable2=b.

  7. #7

    Re:Clear text passwords

    It wouldn't matter even if you stopped logging passwords, the packet can still be intercepted and passwords still in clear text. Any form of encryption would be a better answer than any.

  8. #8

    Re:Clear text passwords

    [quote author=Ashcrow link=board=25;threadid=8312;start=0#msg75492 date=1071713555]
    I guess thats just the way IIS does it's logging for variable handling. IT shows them all in a GET like way. I strongly advise you to use an Apache version for windows with SSL rather than using IIS. The company I work for moved a few months back and we've had less problems and an easier time maintaining the security and stability of our web server (and our data is super, super sensitive).
    [/quote]

    You don't have to suggest using apache :-) That was my first choice and for some time Nfuse was running on apache on linux box. But management decided to use IIS because our programmers don't know shit about linux.......if you ask me, I think it would makes sense (even financially) to hire programmers that knw something about linux.....after all we have quite a lot of things running on Linux in our company......but it's not my call :-(

  9. #9

    Re:Clear text passwords

    [quote author=gorn link=board=25;threadid=8312;start=0#msg75520 date=1071728524]
    The problem is simply that that is a GET request. Post works by going to url foo and sending the variables to it after requesting foo. GET works by requesting foo?variable=a&variable2=b.
    [/quote]

    gorn,
    thanks for clarifying that.

Similar Threads

  1. Clear wireless in linux
    By yanceycat in forum Linux - Hardware, Networking & Security
    Replies: 1
    Last Post: 01-11-2012, 12:20 PM
  2. Clear Porn History
    By NewGuy in forum Linux - Software, Applications & Programming
    Replies: 18
    Last Post: 05-04-2009, 07:49 AM
  3. Trying to clear up a definition.
    By gmoncrief in forum Linux - Software, Applications & Programming
    Replies: 4
    Last Post: 12-31-2004, 09:43 PM
  4. Konqueror - clear cache and URL's
    By Phaete in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 07-07-2002, 11:23 PM
  5. clear cache
    By nfallon in forum Linux - Software, Applications & Programming
    Replies: 2
    Last Post: 01-02-2002, 05:41 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •