WebApp Sec mailing list archives
RE: unable to access web site embeds username & password
From: Noah Gray <NGray () worldrelief net>
Date: Mon, 21 Jun 2004 22:34:17 -0400
I recently worked with an organization that had used this in some specific cases for integration purposes. It was a CMS, complete with some inflexible ISAPI filters that had mandaded the use of the embedded basic authentication, of course over SSL. Just to help you resign yourself to your new fate, we searched high and low, and found NO way to support this functionality in IE browsers for a wide audience. In the end, we worked with each and every party to switch to a token-based system in the querystring. In the end, it was a great chance to rethink our how our 3rd party authentication worked. We were able to implement a system that could be securely implemented without SSL, which is unheard of in the URL-embedded basic system. Believe me when I say that this is a must-upgrade situation. You have to use some other way to authenticate these intranet users in IE. Regards, Noah Gray -----Original Message----- From: Ivo Mencke [mailto:imencke () servecentric com] Sent: Monday, June 21, 2004 11:03 AM To: bysoo1 () optusnet com au Cc: webappsec () securityfocus com Subject: Re: unable to access web site embeds username & password A security update is available that modifies the default behavior of Internet Explorer for handling user information in HTTP and in HTTPS URLs http://support.microsoft.com/default.aspx?scid=kb;%5Bln%5D;834489 SUMMARY A security update is available that removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft Internet Explorer. The following URL syntax is no longer supported in Internet Explorer or in Windows Explorer after you install the MS04-004 Cumulative Security Update for Internet Explorer (832894): http(s)://username:password@server/resource.ext i would say, use another browser .... On Thu, 2004-06-17 at 12:31, OPTUSBYS wrote:
Dear all, I have discovered if I access my intranet that embeds the username and password, it will not work on workstations have the latest Microsoft security patches installed. http://username:password@webserver/website Does anyone have a solution to this because I still don't know which security patch that inhibits the access. On the other hand, I don't really want to leave my workstations
unprotected
too. Thanks for your contribution. Much appreciated. Regards, Seeker.
Current thread:
- unable to access web site embeds username & password OPTUSBYS (Jun 21)
- Re: unable to access web site embeds username & password Bill Curnow (Jun 21)
- Re: unable to access web site embeds username & password Thomas Chiverton (Jun 21)
- Re: unable to access web site embeds username & password Ivo Mencke (Jun 21)
- Re: unable to access web site embeds username & password Keith W. McCammon (Jun 21)
- <Possible follow-ups>
- RE: unable to access web site embeds username & password Michael Howard (Jun 21)
- RE: unable to access web site embeds username & password Chris Thomas (Jun 21)
- RE: unable to access web site embeds username & password Noah Gray (Jun 21)
- RE: unable to access web site embeds username & password sk3tch (Jun 21)
- Re: unable to access web site embeds username & password Kevin R. Babcock (Jun 22)
- RE: unable to access web site embeds username & password Michael Silk (Jun 24)
- RE: unable to access web site embeds username & password Noah Gray (Jun 24)
- RE: unable to access web site embeds username & password Brown, James F. (Jun 24)
- RE: unable to access web site embeds username & password Kevin R. Babcock (Jun 23)
- Re: unable to access web site embeds username & password Andy bentley (Jun 24)
- Re: unable to access web site embeds username & password Robert Hajime Lanning (Jun 25)
- Open Source Security Exhibition help Pete Herzog (Jun 26)
- RE: unable to access web site embeds username & password Konstantin Ryabitsev (Jun 24)
- RE: unable to access web site embeds username & password Kevin R. Babcock (Jun 23)
(Thread continues...)