Re-enabling user:pass with IE

re: Re-enabling user:pass with IE

David Cumps — Sat, 07 Feb 2004 22:05:00 GMT

Hi,

I checked this site; http://zcat.wired.net.nz/upgrade/ and did the upgrade link, want to know what i got in the IE adress bar?

http://msie.microsoft.com%00@zcat.wired.net.nz/details.aspx
Toghether with a page not found error

So, by patching it fixes the chr(0) bug, and with the registry tweak i re-enable the possibility for http and https to use user:pass

Correct me if i'm wrong.

And yes, apparently i mis-read the RFC :) sorry.

I personally use the user:pass form in a bookmark set to access my home sites with different logons (local machine), that way i check security settings for different users

re: Re-enabling user:pass with IE

Kent Sharkey — Sat, 07 Feb 2004 22:09:00 GMT

Oh, sweet!

Sorry -- I had assumed that the Registry poke would disable the goodness of the patch (forgot to do my homework and re-click on the link on that page). Good to see that it doesn't work.

So, excellent fix -- I may now apply it (btw, you have a good reason for using the schema -- much easier than logging in/out all the time).

TTFN - Kent

testpost plz ignore

David Cumps — Sun, 08 Feb 2004 01:27:00 GMT

testpost plz ignore

David Cumps — Sun, 08 Feb 2004 01:28:00 GMT

test

re: Re-enabling user:pass with IE

moo — Sat, 07 Feb 2004 22:50:00 GMT

Why not just NOT patch in the first place.

If you really want this, use a different browser then.

RFC 2396 defines it...

Dumky — Sat, 07 Feb 2004 22:54:00 GMT

So many people mention RFC 1738, but don't read RFC 2396 (http://www.ietf.org/rfc/rfc2396.txt).

Two quotes:
"it revises and replaces the generic definitions in RFC 1738 and RFC 1808."

"Some URL schemes use the format "user:password" in the userinfo field. This practice is NOT RECOMMENDED, because the passing of authentication information in clear text (such as URI) has proven to be a security risk in almost every case where it has been used."

Cheers,
Dumky

re: Re-enabling user:pass with IE

David Cumps — Sat, 07 Feb 2004 23:26:00 GMT

'almost' every case.
In some cases it can be handy.
Passes not being sent over the internet but only on the local machine webserver isn't a security risk, as it even isn't a production environment.

re: Re-enabling user:pass with IE

Kent Sharkey — Sun, 08 Feb 2004 03:41:00 GMT

moo: David has noticed that this Registry poke still protects you from the %00 exploit, while allowing the use of this scheme (in a rather restricted environment). If he hadn't patched, he'd still be liable for spoofing (unless he [and I can't believe someone actually typed this] types in all his URLs)

everyone: I think we're all in agreement that user:pass is a *generally* bad idea for HTTP, however, like all *general* solutions, can be handy in *some* situations, as David's test scenario described.

TTFN - Kent

re: Re-enabling user:pass with IE

moo — Sun, 08 Feb 2004 19:02:00 GMT

Putting anything in the URL that isnt a page link is generally bad. I have lost count of the times ive got privacy leaks and internal info by playing with the URL.

I do love playing with parameters, so yeah sure go ahead, Ill more than likely get access to customer data.