username:password vulnerability

Installed the latest patch for IE which breaks the http://username:[email protected] protocol. The interesting thing is that they break it in more than just the browser. Now if you run the above url from the start/run menu or from the quick launch address bar, the system strips off the username:[email protected] of the url and takes you direct to the main site. This way it breaks Firebird/Firefox which would work with the username:password option and was not vulnerable to the spoofing flaw. I guess they had to do it this way because of all the intergration with the OS that IE does not do (end sarcasm) Apart from that its not that big a deal anyway. It doesn’t break wget though (which is a relief as that would break a lot of my scripts)


  1. Neil T.

    If you go to HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE in the registry (create the keys if they don’t exist, also works under HKEY_CURRENT_USER if you only want to apply it to the current user) you can create DWORD values set to 0 for the names of executables where you want to allow user:[email protected] For example, create iexplore.exe and explorer.exe to enable it in IE.

Comments are closed.