lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 3 Feb 2004 20:47:53 -0800
From: Sam Schinke <>
To: "Thor Larholm" <>
Subject: Re: MS to stop allowing passwords in URLs

Hello Thor,

Tuesday, February 3, 2004, 9:02:11 AM, you wrote:

TL> This has already been implemented in the out-of-schedule IE patch they
TL> released yesterday, MS04-040. This is also the first time they broke their
TL> promised monthly patch schedule, so far they have released patches in the
TL> second week of the month.


There was a case of an "escaped" fix last month, wasn't there?

TL> However, if you hover your mouse over such a link you will see the status
TL> bar of the browser still displays the incorrect link. It seems like the
TL> incorrect parsing code is still there, but the current attack vector is
TL> gone - time to look for other pathways.

So  this  really  IS  a  case  of  gutting a "feature" to spite a bug,
without  actually  fully  fixing  the bug. Or did I misunderstand you?
Were  you referring to the %00 FQDN spoofing vulnerability or just the
display of the username:password in the URL bar?

I'll go answer those questions myself. *g*

Ok,  I've  confirmed  that one (status bar showing spoofed domain with
%00)  at  secunia's test page. Of course, there are many other ways to
manipulate  the status bar on a mouseover, but this flaw still applies
to some small extent.

The  spoofing  flaw  does  appear  to be entirely gone in the URL bar,

In one way or another, at any rate.

URL's  spoofed  with  %00  in  them  issue  an  "invalid syntax" error
regardless  of the state of the new registry keys mentioned in the KB.
This  is  done  without  modifying  what  is  shown  in  the  URL bar.
Everything is shown, including the spoofed string and the real domain.
Maybe  people  could  be  fooled  into  dialing  a telephone number or
sending  in  the  information by email "if this website is down due to
high demand". This isn't MS's problem IMO, though.

If  the  registry  keys are set and no unusual characters are present,
the  page  loads  as expected, however the username:password string is
removed   from   the   URL  bar  (I  havn't  tested  whether  a  basic
authentication login will still occur).

So,  the  bug  does  seem  to  be  fixed except on the status bar when
mousing over a link that is trying to spoof a destination.

Best regards,

Powered by blists - more mailing lists