Re: Bug in CE Web service

From: Ravi (anonymous_at_discussions.microsoft.com)
Date: 08/02/04 

Date: Mon, 2 Aug 2004 04:47:09 -0700

A person who have found the big security threat just a
thanks for him. This is not a true professionalism.
>-----Original Message-----
>Yes, I have confirmed this is a bug. Thank you for the
good repro steps. I
>will work with our QFE team in order to fix this on
broken platforms that
>have shipped already and will also work with the QA
department to make sure
>this is tested better in the future. I'm embarassed
something this stupid
>could
>make it past me, QA, and so many others inside MS.
>
>I could not reproduce this when using NTLM rather than
Basic and verified
>that this is a basic only problem. (Since MS relies
mostly on NTLM this is
>how this bug slipped through.) So if you can change to
NTLM you will be
>fine. Netscape 7.1 supports NTLM, but if you want to
support earlier
>netscapes or other browsers this won't work.
>
>Thank you again for bringing this to our attention and
our sincerest
>apologies.
>
>--
>John Spaith
>Software Design Engineer, Windows CE
>Microsoft Corporation
>
>Have an opinion on the effectiveness of Microsoft
Embedded newsgroups? Let
>us know!
>https://www.windowsembeddedeval.com/community/newsgroups
>
>This posting is provided "AS IS" with no warranties, and
confers no rights.
>You assume all risk for your use. © 2003 Microsoft
Corporation. All rights
>reserved.
>
>"Dipesh" <dipesh@sdc.canon.co.in> wrote in message
>news:296ae01c464bb$e70430d0$a301280a@phx.gbl...
>Hi John
>Ya john bassically I have got the exect senarion for
>repeation this Problem.
>
>Download a new OS image.
>At the first bootup time -
>Create a account "ADMIN" with some password. Using the API
>SetPassword() and NTLMSetUserInfo().
>Now configure your any web site for this account . The
>authentication method is "Basic Authentication".
>
>You will be able to
>produce this bug.
>regards
>Dipesh
>
>
>>-----Original Message-----
>>Hmm... I've never heard of this problem before.
>Obviously we would never
>>knowingly ship a bug like this, so I'll need more
>information.
>>
>>You're using built in HTTP authentication (NTLM and/or
>Basic) and not some
>>sort of authentication that your IASPI extension is doing
>itself, correct?
>>Could you tell me what your virtual root registry
>settings are? Also if you
>>could get a netmon packet capture of the browser talking
>to the device that
>>would be good. Finally if you can get a debug version of
>the OS / web
>>server and turn on full debug zones for the web server,
>that would be ideal.
>>
>>Thanks.
>>
>>--
>>John Spaith
>>Software Design Engineer, Windows CE
>>Microsoft Corporation
>>
>>Have an opinion on the effectiveness of Microsoft
>Embedded newsgroups? Let
>>us know!
>>https://www.windowsembeddedeval.com/community/newsgroups
>>
>>This posting is provided "AS IS" with no warranties, and
>confers no rights.
>>You assume all risk for your use. © 2003 Microsoft
>Corporation. All rights
>>reserved.
>>
>>"Dipesh" <dipesh@sdc.canon.co.in> wrote in message
>>news:1a5af01c44ed7$b51d7bc0$a601280a@phx.gbl...
>>> Hi,
>>> Configure an ISAPI extension for http service in WIN CE
>>> 4.2. Giving the access to specific user.
>>> Try to access the site it will ask for user name and
>>> password. Try again and again with right user name but
>>> wrong password.
>>> It will display the access denied page.
>>> Press the refresh button of the browser. And repeat the
>>> same step giving the correct user name but wrong
>password.
>>> After some try you will be able to see the page.
>>>
>>> Can anyone suggest any solution for this problem?
>>>
>>> Dipesh
>>>
>>>
>>>
>>
>>
>>.
>>
>
>
>
>
>.
>