COMMAND

    aps (AUTH_PASSWORD)

SYSTEMS AFFECTED

    Win NT

PROBLEM

    Vincent Lok found  following.  With  basic authentication on  IIS,
    one can obtain  password of users  accessing the ASP  page via the
    server variable AUTH_PASSWORD.  The line

        <%= Request.ServerVariables("AUTH_PASSWORD") %>

    in  an  asp  file  will  do  the  trick.   With  this,  web   page
    authors/content  providers  (probably  not  the  same  person  who
    administers the web server and NT domain) can easily trap password
    of other domain users.

SOLUTION

    Basic authentication is never secure as it is possible to  capture
    password by sniffing and decoding the authentication packets,  but
    this would require accessibility  to the network and  some (though
    not much)  technical expertise.   Note that  IIS comes  by default
    with basic auth  disabled - you  have to be  allowed to admin  the
    site to change this.   In IIS 3.0, authentication  was set at  the
    web server level.  In IIS  4.0, you can set authentication at  the
    web site, directory, or file level.  SSL secures the  transmission
    of user name/password pairs over the wire, but a web developer can
    still  read  the  AUTH_PASSWORD  server  variable once the request
    hits the server.