[Full-Disclosure] Interesting side effect of the new IE patch
nick at virus-l.demon.co.uk
Fri Feb 6 13:16:29 GMT 2004
rhetorical question <ypwhich at io.com> wrote:
> I *may* be wrong. But I do believe the "http://username:password@... " bit
> has been around for some time. ...
In the KB article describing this change Microsoft says it introduced
handling of "userinfo" in HTTP[S] URLs in IE 3.0. That was what --
1996 or 1997? Whatever, I think we'd agree that in computing or
Internet terms that is a fair while ago...
> ... I remember finding that out a long time ago,
> which was convient in regards to browsing FTP sites which require a login/
> password. Was using Netscape Navigator Gold, mid 90s.
> I still have some of my old browsers, will install a few and test it out.
As has been discussed (at length) in this and obviously related
threads, the change in IE specifically affects HTTP and HTTPS URLs.
IE's handling of FTP URLs is irrelevant as the "userinfo" syntax is
allowed for such URLs and is not claimed to have been altered.
Microsoft has simply, very belatedly, pulled this aspect of IE's
behaviour into line with the standards that define what an HTTP[S]
protocol handler should do.
Full-Disclosure is hosted and sponsored by Secunia.