WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: unable to access web site embeds username & password

From: "Brown, James F." <James.F.Brown () FMR com>
Date: Tue, 22 Jun 2004 16:36:29 -0400
Keep in mind that passing passwords on the URL like this horribly
insecure. Your password will wind up sitting in web server logs, proxy
server logs and will in some cases get sent off to other sites via the
http referer mechanism.

- Jim Brown

-----Original Message-----
From: Kevin R. Babcock [mailto:kevinb () ugcs caltech edu] 
Sent: Monday, June 21, 2004 11:44 AM
To: webappsec () securityfocus com
Subject: Re: unable to access web site embeds username & password



I have discovered if I access my intranet that embeds the username and
password, it will not work on workstations have the latest Microsoft
security patches installed.

http://username:password@webserver/website


Does anyone have a solution to this because I still don't know which
security patch that inhibits the access.


This change is part of the MS04-004 Cumulative Security Update.  You can
disable this behavior in the registry.

http://support.microsoft.com/default.aspx?scid=kb;en-us;834489

-Kevin
Previous By Date Next
Previous By Thread Next

Current thread: