This has already been implemented in the out-of-schedule IE patch they released yesterday, MS04-040. This is also the first time they broke their promised monthly patch schedule, so far they have released patches in the second week of the month. http://www.microsoft.com/technet/security/bulletin/MS04-004.asp Navigating to a link with Basic Authentication details embedded (user:password@host) now yields an "invalid syntax error". Embedding HTTP authentication details as part of the URL is not part of the HTTP RFC in the first place, but is allowed in a generic URI. RFC 1738 has no mention of authentication in the syntax of an HTTP URL (see page 8) and its implementation in browsers has been an exception - much like the Content-Disposition MIME header that is widely implemented in the HTTP handling of browsers. However, if you hover your mouse over such a link you will see the status bar of the browser still displays the incorrect link. It seems like the incorrect parsing code is still there, but the current attack vector is gone - time to look for other pathways. Regards Thor Larholm PGP: 0x5A276569 6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569 PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of Qwik-Fix <http://www.qwik-fix.net> -----Original Message----- From: McAllister, Andrew [mailto:McAllisterA@umsystem.edu] Sent: Wed 1/28/2004 2:54 PM To: bugtraq@securityfocus.com Cc: Subject: MS to stop allowing passwords in URLs I just read that Microsoft will stop allowing IDs and passwords to be embedded in URLs used by Internet Explorer. So you will no longer be able to use a URL like https://user:password@www.somehost.com/ See http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 Their reasoning is that this will mitigate status bar spoofing as has recently been discussed here and in other forums. The article even goes so far as to admit that recent versions of IE show only the URL before the @ sign while older versions do not. Apparently MS has decided that this RFC URL syntax is simply too dangerous to allow in their products. Their suggested workarounds include among others: 1) Having users click the "Remember my password" checkbox in IE. 2) Using cookies. I personally use this syntax in only one production application, BBTray - a windows tray applet that watches my bigbrother monitoring server. Click the applet and it opens a browser window with the id:passowrd@server.com syntax. The ID and password is specific to our bigbrother application, my workstation sits behind two firewalls and I am the only admin on the box. So, I consider this use to be legit and relatively safe given the convenience it provides. I certainly don't consider the "remember my password" functionality nor stored cookies any more or less safe than this syntax. Anyone have any comments regarding legitimate uses of this syntax and Microsoft removing it from their browser? (and presumably the OS since the browser IS the OS). Andrew McAllister University of Missouri
