Full Disclosure mailing list archives
Re: Apparently the practice was prevalent
From: hggdh <hggdh () comcast net>
Date: Sun, 8 Feb 2004 13:01:53 -0600
Hello Paul, Sunday, February 8, 2004, 11:18:17 AM, you wrote: PS> According to this story, some programmers have been up late "fixing" the PS> inability to use @ in their urls. :-) Once company is even proposing PS> reversing the change (by sending their users a registry update) so they can PS> continue to use the feature. Makes you wonder how long it will be before a PS> virus or worm reverses the registry key so it can use that "feature". I will bite the hook. I think we have gone off on a tangent on this MS fix -- as far as I can understand MS blocked it not because it was not in the RFC, but because it could be used against people. And, the point here is that it could be used due to OTHER IE vulnerabilities. As Valdis said earlier, user:password@site is a DE FACTO standard. It goes against the RFC? Well, get over it. Such is life. It has not been the first time, and it will not be the last one. What defines a de facto standard is prevalence of use. Nobody can argue that the IE browser is not prevalent... Is it a Real Bad Idea? Yes, certainly. Should it be used? No. But, still, MS implemented it, and promoted it's use. Now, due to their inability to fix OTHER problems, they took it out. Finally -- from a security point of view, I am really glad. But it was still a (de facto) standard, still a standard, still a standard. So obviously there are people out there that will have to scramble to get their things back working. After all, MS suddenly took it out... and, also expected, MS would have to provide a backdoor. We can just hope that a future fix will take it out for once and for all. ..hggdh.. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Apparently the practice was prevalent Paul Schmehl (Feb 08)
- RE: Apparently the practice was prevalent Shawn K. Hall (RA/Security) (Feb 08)
- Re: Apparently the practice was prevalent Stefan Esser (Feb 08)
- RE: Apparently the practice was prevalent Shawn K. Hall (RA/Security) (Feb 08)
- Re: Apparently the practice was prevalent hggdh (Feb 08)
- Re: Apparently the practice was prevalent Luke Norman (Feb 08)
- Re: Apparently the practice was prevalent Scott Taylor (Feb 08)
- Re: Apparently the practice was prevalent Nick FitzGerald (Feb 08)
- Re: Apparently the practice was prevalent Mattias Ahnberg (Feb 10)
- Re: Apparently the practice was prevalent Luke Norman (Feb 08)
- Re: Apparently the practice was prevalent Nick FitzGerald (Feb 08)
- Re: Apparently the practice was prevalent Ron DuFresne (Feb 09)
- Re: Apparently the practice was prevalent Nick FitzGerald (Feb 08)
- RE: Apparently the practice was prevalent Shawn K. Hall (RA/Security) (Feb 08)
- RE: Apparently the practice was prevalent Nick FitzGerald (Feb 09)
- RE: Apparently the practice was prevalent Shawn K. Hall (RA/Security) (Feb 09)
- RE: Apparently the practice was prevalent Shawn K. Hall (RA/Security) (Feb 08)