FIX: User Credentials Leak When You Use Web Services Command-Line Tools (318099)


The information in this article applies to:

  • Microsoft Web Services (included with the .NET Framework 1.1)
  • Microsoft Web Services (included with the .NET Framework) 1.0
This article was previously published under Q318099

SYMPTOMS

When you use the Web Services Description Language Tool (Wsdl.exe) or the Web Services Discovery tool (Disco.exe) to specify credentials, such as your user name and password, from the command line, a credentials leak may occur.

CAUSE

When you use the Web Services Description Language Tool or the Web Services Discovery tool to specify credentials from the command line, this forces the specified credentials to be used on any URI that you download.

However, the Disco.exe and Wsdl.exe documents may refer to documents outside of the domain in which they originated, which can include domains referenced over the Internet. When you download any referenced external documents, and the external server challenges with authentication, a credentials leak can occur. If an external Web server challenges with a Basic Authentication scheme, the credential is sent as clear text.

NOTE: The credentials are sent only when a server responds with a "401 Unauthorized" error message. The credentials being leaked are not Microsoft Windows credentials. Instead, they are credentials to a Web site that contains the Disco.exe or Wsdl.exe documents.

RESOLUTION

A resolution for this issue will be available in an upcoming version of Microsoft .NET Framework SDK.

To work around this issue, configure the server to collect all external imports (which includes those for Web Services Description Language [WSDL] and XML Schema definition [XSD] language) on its internal domain. This prevents any referencing of the imports to external and/or untrusted sites.

STATUS

This bug was corrected in .NET Framework (2003|1.1).

MORE INFORMATION

For optimal security, the user name and password must be sent only to the servers for those URLs specified on the command line. However, because of the bug described in the "Symptoms" section of this article, these credentials are sent to those specified servers and to any servers that any documents downloaded from those specified servers are linked to.
Modification Type:MajorLast Reviewed:9/16/2003
Keywords:kbfix kbbug kbnofix KB318099
©2003 Microsoft Corporation. All rights reserved.