Jump to content


Photo

Ie Patch May Disrupt Some Downloads


  • Please log in to reply
14 replies to this topic

#1 Kthulu

Kthulu

    X-S Freak

  • XS-BANNED
  • PipPipPipPipPip
  • 1,287 posts
  • Xbox Version:v1.0
  • 360 version:unknown

Posted 04 February 2004 - 12:36 PM

this may be old news to some, but thought this might be good to keep in mind when trying to get scripts or preview vids...

MS has released a security patch for IE that disables the ability to login to a web or ftp site by doing this:

QUOTE
ftp://username:password@ftpsite.com]ftp://username:password@ftpsite.com


the article is here

NOTE: you'll have to substitute micro$oft in the link

Edited by Kthulu, 04 February 2004 - 12:37 PM.


#2 yourwishismine

yourwishismine

    X-S Genius

  • Members
  • PipPipPipPip
  • 890 posts
  • Xbox Version:unk

Posted 04 February 2004 - 01:01 PM

QUOTE (Kthulu @ Feb 4 2004, 08:36 AM)
this may be old news to some, but thought this might be good to keep in mind when trying to get scripts or preview vids...

MS has released a security patch for IE that disables the ability to login to a web or ftp site by doing this:

QUOTE
ftp://username:password@ftpsite.com]ftp://username:password@ftpsite.com


the article is here

NOTE: you'll have to substitute micro$oft in the link

Micro$oft giveth and Micro$oft taketh away...

Awefully nice of them... well nice, kinda like a brick upside the head...


#3 thetruethugg

thetruethugg

    X-S Expert

  • Members
  • PipPipPip
  • 638 posts
  • Xbox Version:v1.0

Posted 04 February 2004 - 01:52 PM

thetruethugg* logs into FTP using FB just to spite IE users

Muhahaha!

But seriously, it's not that big of a deal IMO, but I could be biased, I just prefer AceFTP as my FTP client, as aposed to IE/Moz

#4 BenJeremy

BenJeremy

    X-S Elysian

  • Head Moderator
  • PipPipPipPipPipPipPipPipPipPipPipPipPip
  • 9,690 posts
  • Xbox Version:v1.1
  • 360 version:v1 (xenon)

Posted 04 February 2004 - 01:56 PM

I wonder how you can force it to accept a username and password, then... I've logged into my FTP from work (here) using the URL-based login info. Will it force you to access it anonymously now?

This is really a stupid solution thanks to LCD-Think (Lowest Common Denominator)

#5 yourwishismine

yourwishismine

    X-S Genius

  • Members
  • PipPipPipPip
  • 890 posts
  • Xbox Version:unk

Posted 04 February 2004 - 02:07 PM

I just took the time to read through that article on MicroShafts website.

Man, that's a load of: 'we are MicroShaft, you will do things our way or not at all'

What a great way to piss all over the users of IE and the developers

websites/ftp sites.

Thank you again, MicroShaft,

Your Loyal user. (yeah right)


#6 Kthulu

Kthulu

    X-S Freak

  • XS-BANNED
  • PipPipPipPipPip
  • 1,287 posts
  • Xbox Version:v1.0
  • 360 version:unknown

Posted 04 February 2004 - 04:32 PM

heh, yeah, this is supposedly a new 'security feature'...if they can't login, i guess it is secure...lol

as far as how IE will act as a ftp client, i guess it will just throw one of those pop-up login boxes at you...

#7 pelago

pelago

    X-S Expert

  • Members
  • PipPipPip
  • 641 posts

Posted 05 February 2004 - 07:57 PM

Actually I think the change only gets rid of the (little used) http://username:pass...@site.com-style URLs, not the ftp://username:password@site.com ones.

#8 Kthulu

Kthulu

    X-S Freak

  • XS-BANNED
  • PipPipPipPipPip
  • 1,287 posts
  • Xbox Version:v1.0
  • 360 version:unknown

Posted 05 February 2004 - 08:21 PM

looking again, it looks like your right...my bad...i've just never seen a http link that used that syntax...started assuming too much...

now my dip-shitness is here for all the world to see...

Edited by Kthulu, 05 February 2004 - 08:23 PM.


#9 yourwishismine

yourwishismine

    X-S Genius

  • Members
  • PipPipPipPip
  • 890 posts
  • Xbox Version:unk

Posted 05 February 2004 - 10:14 PM

QUOTE (pelago @ Feb 5 2004, 03:57 PM)
Actually I think the change only gets rid of the (little used) http://username:pass...@site.com-style URLs, not the ftp://username:password@site.com ones.

Well... it's not little used in my case as I have all my users set up to log onto webbased email from home that way.. and also other webbased protected sites that I set up for the company use... I say it's a real kick in the dick to me.. especially when all them start calling me (waking me from my sleep at my desk) asking 'why won't my email work from home.. blah blah.. oh the torment.. oh the toil.. oh the .. thanks for throwing a wrench in the machine MS...


#10 flattspott

flattspott

    X-S Freak

  • Moderator
  • PipPipPipPipPip
  • 1,787 posts
  • Location:Southern California
  • Xbox Version:v1.0
  • 360 version:v1 (xenon)

Posted 05 February 2004 - 10:24 PM

Awe, did someone wake you up from your nap? laugh.gif

#11 DrunkPenguin

DrunkPenguin

    X-S Member

  • Members
  • Pip
  • 133 posts

Posted 06 February 2004 - 12:36 AM

does anyone still use explorer? with all the better alternatives out there i dont understand the reason to keep it.

but thats just me...


DrunkPenguin

#12 yourwishismine

yourwishismine

    X-S Genius

  • Members
  • PipPipPipPip
  • 890 posts
  • Xbox Version:unk

Posted 06 February 2004 - 08:42 AM

QUOTE (DrunkPenguin @ Feb 5 2004, 08:36 PM)
does anyone still use explorer? with all the better alternatives out there i dont understand the reason to keep it.

but thats just me...


DrunkPenguin

When you are supporting over 50 users in a work invironment... you really want them all on the same thing that is the easyiest to install (in this case, since it's installed with the OS, it is the easiest)... and yes I use network ghosting and RIS services, however I also cover 4 branches within a 800 mile radius and I don't really want to go spending all my time on the road... so from my perspective, using an alternative would create not only the extra work of installing different software, but would also require me to retrain all those people on using the new browser (yes even if it worked EXACTLY the same, they would still need retrained), but I would also have to deal with all those tech support calls of them saying 'how do I do this' and 'this doesn't work in this new browser-thingy'.. so a different browser isn't much of an alternative...


#13 pelago

pelago

    X-S Expert

  • Members
  • PipPipPip
  • 641 posts

Posted 06 February 2004 - 10:55 AM

You know why they've done this, though? It's to stop scams where people send fake emails inviting people to login to URLs like:

http://www.natwest.c...678/account.php

Recipients reading such a URL will assume it is on the NatWest online banking website, and will happilly type in their password, which will instead go to the scammers. It takes a close look before you realise this is not actually on the NatWest site, as many people don't know about the username:password@ thing.

I think I'd rather have the inconvenience of a few genuine username:password@ sites not working, that the problem of the scam above, which caused lots of problems.

Edited by pelago, 06 February 2004 - 10:55 AM.


#14 yourwishismine

yourwishismine

    X-S Genius

  • Members
  • PipPipPipPip
  • 890 posts
  • Xbox Version:unk

Posted 06 February 2004 - 11:47 AM

QUOTE (pelago @ Feb 6 2004, 06:55 AM)
You know why they've done this, though? It's to stop scams where people send fake emails inviting people to login to URLs like:

http://www.natwest.c...678/account.php

Recipients reading such a URL will assume it is on the NatWest online banking website, and will happilly type in their password, which will instead go to the scammers. It takes a close look before you realise this is not actually on the NatWest site, as many people don't know about the username:password@ thing.

I think I'd rather have the inconvenience of a few genuine username:password@ sites not working, that the problem of the scam above, which caused lots of problems.

I agree with that to an extent, but a better solution would be to take these spamers out and chop their hands off...

#15 geniusalz

geniusalz

    Team MXM

  • Head Moderator
  • PipPipPipPipPip
  • 1,827 posts
  • Xbox Version:v1.1
  • 360 version:unknown

Posted 06 February 2004 - 01:44 PM

Another form of this exploit is slightly worse. Using the same user:pwd@site trick, you can put some characters in the username that cause IE to regard the string as terminated. Therefore all you see in the status bar when hovering over a link is the username, and when u click the link, that's what goes in the address bar too.

e.g.

http://fakesite.com<illegal char here>:blah@blah.com
will just look like
http://fakesite.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users