lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6.0.1.1.2.20040212105335.03814470@pop3.moondrummer.com>
From: krs at c3group.net (Kevin Sullivan)
Subject: Absurd Microsoft QA?  The Return of the
  "username@...sword"...

 >* Here's the final straw
  On February 10, 2004
  Microsoft released
 > a patch that
  restores the "username@...sword:" functionality in URL
 >references!
 > * It seems they are trying to hide this fact as this is not
 >widely publicized and it is NOT being labeled as an IE patch nor a even
 >a security patch!

Probably because it is NOT a security patch, nor does it restore the
embedded-credentials functionality. It addresses the specific problem
(created by the 04 patch )of not being able to pass user credentials in
an XML Open() call.

 From the M$ article:
"This fix will only enable the scenario where user credentials are passed as
parameters in the Open() method call. It will not enable scenarios where
the user credentials are embedded in the URL."


Ks 



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ