Posted by Gordon Burditt on 11/08/07 00:08

>> What arguments does such a NTLM request require?
>
>to make it simple:
>serwer tells the browser: you need to authenticate using NTLM , valid
>user is required. then browser sends the server id of a user.

What *browsers* do that? If a browser does that when talking over
the Internet, especially without asking for confirmation, I consider
it a serious security hole. If the user is asked to enter a valid
user name, it rather defeats the purpose of not having to log in
for the web page after you've already logged in on the workstation.

And since anything that comes from a browser is easily faked, it
seems to make pretending to be someone else fairly easy. All I
have to do is get that magic number. I think for that all I have
to do is find a file that he owns that I can look at the permissions
on, which might be easy to find on a shared volume.

>something like:
>S-1-5-21-3127170830-3942366122-3349335812-41005
>now it is web serwers role to do something with it.
>in most corporate enviroments - use ldap call to get real name

>> Suppose: there are several people logged in on various machines
>> on the local network. There are several people logged in on the
>> same machine as user who's making the HTTP request (possible with
>> terminal server or remote desktop on a Windows machine). What
>> information does the HTTP server have to tell which user made the
>> request?
>
>the one who owns the task running web browser. the one that
>started web browser, of course

Unless, of course, the web browser LIES.

[Back to original message]