COMMAND

    Cleartext Password display in NS Communicator

SYSTEMS AFFECTED

    Systems NS Communicator and connecting via Squid proxy

PROBLEM

    The following has  been tested with  Netscape Communicator 4.0  on
    NT 4  and 4.0b4  on Linux  with the  same results.   The plaintext
    password  for  a  machine  accessed  through  FTP  is displayed by
    Communicator in some cases.  Credit goes to Fred Albrecht.

    Method for reproduction:

        1. start NS Communicator
        2. enter a URL of the form 'ftp://user@host'
        3. fill in the password in the box that Communicator pops up
        4. when the file list is displayed, follow the 'Parent Directory' link
        5. click 'back' (seems to be optional in Linux)

    The password is now plainly visible in the URL field:

        'ftp://user:passwd@host'

    This  is  of  course  a  bad  thing  especially  since  JavaScript
    programs can access the history list.

    Note  that  this  happens  only  when  connecting over proxy Squid
    (1.1.10) and it appears also in Squid's access.log.  Also  reports
    confirm that same happens with Squid 1.1.11 Squid 1.NOVM.10.

SOLUTION

    You  have  to  change  squid.conf  so that ftpget_options includes
    either the "-a" or "-A" flag.

    Example of one config file:

    ftpget_options -a -p http://www.you.com/tisservices/proxy/ -s .gif -w 25

    For the list of possible options run

        /usr/local/squid/bin/ftpget -h

    These are the relevant options:

        -a              Do not show password in generated URLs
        -A              Do not show login information in generated URLs