SecurityFocus

MS to stop allowing passwords in URLs Jan 28 2004 10:54PM
McAllister, Andrew (McAllisterA umsystem edu) (10 replies)

Re: MS to stop allowing passwords in URLs Feb 03 2004 10:12PM
Nick FitzGerald (nick virus-l demon co uk)

Re: MS to stop allowing passwords in URLs Feb 03 2004 05:26PM
3APA3A (3APA3A SECURITY NNOV RU)

RE: MS to stop allowing passwords in URLs Feb 03 2004 03:54PM
Richard M. Smith (rms computerbytesman com)

RE: MS to stop allowing passwords in URLs Feb 03 2004 02:26PM
Andrew Harwood (aaharwood_maillist bigpond com)

Re: MS to stop allowing passwords in URLs Feb 03 2004 10:32AM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)

Re: MS to stop allowing passwords in URLs Feb 03 2004 05:31AM
Sam Schinke (sschinke myrealbox com)

Hello Andrew,

Wednesday, January 28, 2004, 2:54:00 PM, you wrote:

MA> I just read that Microsoft will stop allowing IDs and passwords to be
MA> embedded in URLs used by Internet Explorer. So you will no longer be
MA> able to use a URL like https://user:password (at) www.somehost (dot) com [email concealed]/

MA> See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489

MA> Their reasoning is that this will mitigate status bar spoofing as has
MA> recently been discussed here and in other forums.

That reasoning is also in the KB article and the bug in this portion
of IE is obliquely acknowledged.

MA> The article even goes
MA> so far as to admit that recent versions of IE show only the URL before
MA> the @ sign while older versions do not.

The article states the opposite. It states that earlier versions
displayed the entire URL (including authentication parts) whereas IE6
conceals the authentication portion and displays starting with the
hostname. This is, of course, excluding cases that use known flaws in
the URL parsing and is also unique to windows 2003.

MA> Apparently MS has decided that this RFC URL syntax is simply too
MA> dangerous to allow in their products.

If you read the HTTP 1.1 specs closely (RFC 2616) you will find that a
HTTP URL does NOT include the username:password in the syntax.

RFC 1738 and RFC 2396 specify the format of "generic" URL's but RFC
1738 specifically refers to RFC 2616 for the format of HTTP URL's.

RFC's 1738 and RFC 2396 both discourage the use of username:password
information in URLs as well.

That said, I liked the ability to source-specify login information as
well. I think we may all be just a little shocked to see MS removing
functionality in the interests of security. I wonder if this is
because they were unable to fix the %00 spoofing or had too many other
issues with this syntax.

Another plus is that this change may see an upsurge in the use of
Mozilla, which still supports this syntax.

--
Best regards,
Sam mailto:sschinke (at) myrealbox (dot) com [email concealed]

[ reply ]

Re: MS to stop allowing passwords in URLs Feb 03 2004 05:06AM
Dave McCormick (mccormic xecu net)

Re: MS to stop allowing passwords in URLs Feb 03 2004 04:01AM
Dave Warren (dave warren devilsplayground net) (3 replies)

Re: MS to stop allowing passwords in URLs Feb 06 2004 04:01AM
Nick FitzGerald (nick virus-l demon co uk)

Re: MS to stop allowing passwords in URLs Feb 04 2004 08:07AM
Gunnar Östlund (kalix dc luth se)

Re: MS to stop allowing passwords in URLs Feb 03 2004 06:09PM
David B Harris (dbharris eelf ddts net)

Re: MS to stop allowing passwords in URLs Feb 03 2004 03:57AM
N407ER (n407er myrealbox com)

RE: MS to stop allowing passwords in URLs Feb 03 2004 01:58AM
Fergus Brooks (fergusb evolve-online com) (1 replies)

RE: MS to stop allowing passwords in URLs Feb 03 2004 06:00PM
Joe Weisenberger (jjfw one net)