Microsoft KB Archive/318099

= FIX: User Credentials Leak When You Use Web Services Command-Line Tools =

Article ID: 318099

Article Last Modified on 2/23/2007

-

APPLIES TO


 * Microsoft Web Services Enhancements for Microsoft .NET 1.1
 * Microsoft Web Services Enhancements for Microsoft .NET 2.0

-



This article was previously published under Q318099



SYMPTOMS
When you use the Web Services Description Language Tool (Wsdl.exe) or the Web Services Discovery tool (Disco.exe) to specify credentials, such as your user name and password, from the command line, a credentials leak may occur.



CAUSE
When you use the Web Services Description Language Tool or the Web Services Discovery tool to specify credentials from the command line, this forces the specified credentials to be used on any URI that you download.

However, the Disco.exe and Wsdl.exe documents may refer to documents outside of the domain in which they originated, which can include domains referenced over the Internet. When you download any referenced external documents, and the external server challenges with authentication, a credentials leak can occur. If an external Web server challenges with a Basic Authentication scheme, the credential is sent as clear text.

NOTE: The credentials are sent only when a server responds with a &quot;401 Unauthorized&quot; error message. The credentials being leaked are not Microsoft Windows credentials. Instead, they are credentials to a Web site that contains the Disco.exe or Wsdl.exe documents.



RESOLUTION
A resolution for this issue will be available in an upcoming version of Microsoft .NET Framework SDK.

To work around this issue, configure the server to collect all external imports (which includes those for Web Services Description Language [WSDL] and XML Schema definition [XSD] language) on its internal domain. This prevents any referencing of the imports to external and/or untrusted sites.



STATUS
This bug was corrected in .NET Framework (2003|1.1).



MORE INFORMATION
For optimal security, the user name and password must be sent only to the servers for those URLs specified on the command line. However, because of the bug described in the &quot;Symptoms&quot; section of this article, these credentials are sent to those specified servers and to any servers that any documents downloaded from those specified servers are linked to.

Keywords: kbfix kbbug kbnofix KB318099

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.