http password
Alex Rice
alex at mindlube.com
Fri Feb 13 14:23:04 EST 2004
On Feb 3, 2004, at 1:08 PM, Zac Elston wrote:
> i have a url that is
> "http://username:password@hostname/path/file.pl?var1=foo
Ugh. This format of URL may no longer be usable. I just read that good
'old Microsoft is breaking RFCs for URLs which could make make your job
hell if you are a web developer:
<http://www.infoworld.com/article/04/01/29/HNiechange_1.html>
"""...a recently-discovered flaw in the way that IE parses URLs allows
scam artists to completely replace Web URLs that use the
username:password@ formatting with a URL of their choosing, regardless
of which Web page is actually displayed in IE. Microsoft was criticized
in recent weeks for not moving to patch that vulnerability when it
released its other January security updates.
Microsoft, like many other browser makers, based its support of the
username:password@ syntax on Internet standards documents, such as
Internet Engineering Task Force (IETF) documents RFC (Request For
Comments)1738, which specifies how URLs on the Internet should be
formatted, and RFC 2616 that specifies how HTTP URLs should be
formatted, Fitzgerald said.
The change announced on Tuesday will violate some of those
specifications, but benefit consumers, according to Russ Cooper,
TruSecure Corp. Surgeon General and moderator of the NTBugtraq security
discussion group.
"No doubt some who will cry foul...or sob because needed functionality
is now gone or Web sites have to be recoded," Cooper wrote in a message
posted to NTBugtraq Wednesday. "To them I say a big 'Too bad!'. The
average user, the victim of phishing scams, isn't going to miss the
functionality but will happily miss the scams."
That said, Microsoft should try to find a way to safely handle URLs
with passwords in them, Cooper said."""
--
Alex Rice | Mindlube Software | http://mindlube.com
More information about the use-livecode
mailing list