Home page logo

webappsec logo WebApp Sec mailing list archives

RE: unable to access web site embeds username & password
From: Noah Gray <NGray () worldrelief net>
Date: Tue, 22 Jun 2004 12:51:33 -0400

By 'Wide' I mean the vast majority of external users who would never change
their registry to access a site.

"Not susceptible to attack" is a an indefensible statement. However, refer
to Kerberos for an implementation of authentication that can occur over an
untrusted medium. Our specific system is not public. I'm simply saying it's
possible, the point being that this IE limitation offered the organization
the impetus to improve.


Noah Gray

-----Original Message-----
From: Michael Silk
To: Noah Gray; webappsec () securityfocus com
Sent: 6/22/04 12:41 AM
Subject: RE: unable to access web site embeds username & password


        By wide audience do you mean *unknown* audience ?

        I.e. you can simply set the site (your site) as a trusted site
and it (IE)
        will automatically pass the login information via NTLM ... ?

        Also, I'm interested ... what system did you use to provide some
        token that is not susceptible to attack (at least attacks which
SSL protects
        agains) ?

-- Michael

-----Original Message-----
From: Noah Gray [mailto:NGray () worldrelief net]
Sent: Tuesday, 22 June 2004 12:34 PM
To: webappsec () securityfocus com
Subject: RE: unable to access web site embeds username & password

I recently worked with an organization that had used this in some
cases for integration purposes. It was a CMS, complete with some
ISAPI filters that had mandaded the use of the embedded basic
authentication, of course over SSL.

Just to help you resign yourself to your new fate, we searched high and
and found NO way to support this functionality in IE browsers for a wide
audience. In the end, we worked with each and every party to switch to a
token-based system in the querystring.

In the end, it was a great chance to rethink our how our 3rd party
authentication worked. We were able to implement a system that could be
securely implemented without SSL, which is unheard of in the
basic system.

Believe me when I say that this is a must-upgrade situation. You have to
some other way to authenticate these intranet users in IE.


Noah Gray

-----Original Message-----
From: Ivo Mencke [mailto:imencke () servecentric com]
Sent: Monday, June 21, 2004 11:03 AM
To: bysoo1 () optusnet com au
Cc: webappsec () securityfocus com
Subject: Re: unable to access web site embeds username & password

A security update is available that modifies the default behavior of
Internet Explorer for handling user information in HTTP and in HTTPS


A security update is available that removes support for handling user
names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or
HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is
no longer supported in Internet Explorer or in Windows Explorer after
you install the MS04-004 Cumulative Security Update for Internet
Explorer (832894): 

http(s)://username:password () server/resource.ext

i would say, use another browser ....

On Thu, 2004-06-17 at 12:31, OPTUSBYS wrote:
Dear all,

I have discovered if I access my intranet that embeds the username and
password, it will not work on workstations have the latest Microsoft
security patches installed.

http://username:password () webserver/website

Does anyone have a solution to this because I still don't know which
security patch that inhibits the access. 

On the other hand, I don't really want to leave my workstations

Thanks for your contribution.

Much appreciated.


This email message and accompanying data may contain information that is
confidential and/or subject to legal privilege. If you are not the
intended recipient, you are notified that any use, dissemination,
distribution or copying of this message or data is prohibited. If you
have received this email message in error, please notify us immediately
and erase all copies of this message and attachments.

This email is for your convenience only, you should not rely on any
information contained herein for contractual or legal purposes. You
should only rely on information and/or instructions in writing and on
company letterhead signed by authorised persons.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]