Home page logo

webappsec logo WebApp Sec mailing list archives

RE: unable to access web site embeds username & password
From: Noah Gray <NGray () worldrelief net>
Date: Mon, 21 Jun 2004 22:34:17 -0400

I recently worked with an organization that had used this in some specific
cases for integration purposes. It was a CMS, complete with some inflexible
ISAPI filters that had mandaded the use of the embedded basic
authentication, of course over SSL.

Just to help you resign yourself to your new fate, we searched high and low,
and found NO way to support this functionality in IE browsers for a wide
audience. In the end, we worked with each and every party to switch to a
token-based system in the querystring.

In the end, it was a great chance to rethink our how our 3rd party
authentication worked. We were able to implement a system that could be
securely implemented without SSL, which is unheard of in the URL-embedded
basic system.

Believe me when I say that this is a must-upgrade situation. You have to use
some other way to authenticate these intranet users in IE.


Noah Gray

-----Original Message-----
From: Ivo Mencke [mailto:imencke () servecentric com]
Sent: Monday, June 21, 2004 11:03 AM
To: bysoo1 () optusnet com au
Cc: webappsec () securityfocus com
Subject: Re: unable to access web site embeds username & password

A security update is available that modifies the default behavior of
Internet Explorer for handling user information in HTTP and in HTTPS


A security update is available that removes support for handling user
names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or
HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is
no longer supported in Internet Explorer or in Windows Explorer after
you install the MS04-004 Cumulative Security Update for Internet
Explorer (832894): 

http(s)://username:password () server/resource.ext

i would say, use another browser ....

On Thu, 2004-06-17 at 12:31, OPTUSBYS wrote:
Dear all,

I have discovered if I access my intranet that embeds the username and
password, it will not work on workstations have the latest Microsoft
security patches installed.

http://username:password () webserver/website

Does anyone have a solution to this because I still don't know which
security patch that inhibits the access. 

On the other hand, I don't really want to leave my workstations

Thanks for your contribution.

Much appreciated.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]