----- Original Message -----
Sent: Friday, November 26, 1999 2:42
PM
Subject: Be carefull with IE5 serious
security failure
I happen to test some of my sites with IE5. I
especially tested all my sites which had security login/password access. IE5
seems to have the capacity to store the login/password couple, and when you
arrive to such a page, it first propose a list of all the logins which have
already been entered, and secondly, when you select a login among those that
are shown in the list, it automatically fills the password field. Not that
bad, the password is hidden with ***. It could have been worse ;-) Not much
but still.
This combined with the poor broken (non existant ???)
windows login procedure, and you have a secured site on which anybody is
allowed to enter. Because, of course, I forgot to precise, all this work also
with SSL secured sites :-(((
I solved the problem by spliting the form in 2 parts. One
form that only contains the login input field. A second, with the password
field, a button (type button), and an hidden field. When the button is
pressed, it runs a little javascript function that copies the content of the
first form's login input into the second's, and submit the second form. Hence,
the two user's fillable field have no logical link, except that they are
located on the same page. IE5 still proposes a list of logins in the first
input field, but cannot link the value with a password.
I'm going to modify all the login pages I did
before.
I hope this will help
Sylvain
Computers are like air conditioners - they
stop working
properly when you open Windows
UNIX _IS_ user friendly. It's just
selective about who its friends
are.
______________________________________________
Sylvain
Roche
Responsable d�veloppement
Add-Online
www.add-online.fr
70bis rue
Bossuet
69006 LYON
France
tel : +33 472838583
fax: +33
472838584
