[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: (none) [httpd finding your identity]
Jeff Weinstein writes:
>The snoop program is using FTP to find out the user's e-mail
>address. The image on the page is an ftp: URL. Our FTP code
>was sending the user's e-mail address as the password for
>anonymous FTP, which is the usually requested by FTP sites.
>The perl script was waiting for the FTP to happen, and then
>looking at its log to figure out the email address.
>
> I've removed the code that uses the e-mail address as the
>FTP password for anonymous FTPs. You can still enter it by
>hand by using a URL of this form 'ftp://[email protected]'.
>This will cause the navigator to prompt the user for the
>password to send for anonymous. This is a little known feature
>that will also allow users to access non-anonymous ftp
>accounts via netscape.
Or you can use 'ftp://anonymous:[email protected]/', and
skip the prompt. Not really less secure (assuming you can prevent
shoulder surfers) as FTP sends the password in the clear, anyway.