Microsoft to Change IE Behavior to Block Spoofing AttacksBy Larry Seltzer | Posted 2004-01-29 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
http://username:password@server/file.html syntax to be disallowed by an upcoming software update. Problematic feature was recently made more dangerous by the unveiling of a display bug in browser.Microsoft Corp. has announced in a support document that it will be releasing a software update to Internet Explorer and Windows Explorer to disable the use of certain syntax in HTTP URLs. The syntax, designed to allow a username and password to be passed to a password-protected page, has a history of abuse. The company did not give a timeline for the release of the patch.
The syntax takes the form http[s]://username:password@server/file.html, such as http://joe:firstname.lastname@example.org/, where "joe" is the username and "blow" is the password. But a site that does not look for the username and password will ignore the values passed, and only the string after the "@" symbol is used for the domain name. Other browsers support this syntax to varying degrees.