this may be old news to some, but thought this might be good to keep in mind when trying to get scripts or preview vids...
MS has released a security patch for IE that disables the ability to login to a web or ftp site by doing this:
Full Version: Ie Patch May Disrupt Some Downloads
| QUOTE |
| ftp://username:password@ftpsite.com]ftp://username:password@ftpsite.com |
| QUOTE (Kthulu @ Feb 4 2004, 08:36 AM) | ||
| this may be old news to some, but thought this might be good to keep in mind when trying to get scripts or preview vids... MS has released a security patch for IE that disables the ability to login to a web or ftp site by doing this:
|
Micro$oft giveth and Micro$oft taketh away...
Awefully nice of them... well nice, kinda like a brick upside the head...
thetruethugg* logs into FTP using FB just to spite IE users
Muhahaha!
But seriously, it's not that big of a deal IMO, but I could be biased, I just prefer AceFTP as my FTP client, as aposed to IE/Moz
Muhahaha!
But seriously, it's not that big of a deal IMO, but I could be biased, I just prefer AceFTP as my FTP client, as aposed to IE/Moz
I wonder how you can force it to accept a username and password, then... I've logged into my FTP from work (here) using the URL-based login info. Will it force you to access it anonymously now?
This is really a stupid solution thanks to LCD-Think (Lowest Common Denominator)
This is really a stupid solution thanks to LCD-Think (Lowest Common Denominator)
I just took the time to read through that article on MicroShafts website.
Man, that's a load of: 'we are MicroShaft, you will do things our way or not at all'
What a great way to piss all over the users of IE and the developers
websites/ftp sites.
Thank you again, MicroShaft,
Your Loyal user. (yeah right)
Man, that's a load of: 'we are MicroShaft, you will do things our way or not at all'
What a great way to piss all over the users of IE and the developers
websites/ftp sites.
Thank you again, MicroShaft,
Your Loyal user. (yeah right)
heh, yeah, this is supposedly a new 'security feature'...if they can't login, i guess it is secure...lol
as far as how IE will act as a ftp client, i guess it will just throw one of those pop-up login boxes at you...
as far as how IE will act as a ftp client, i guess it will just throw one of those pop-up login boxes at you...
Actually I think the change only gets rid of the (little used) http://username:password@site.com-style URLs, not the ftp://username:password@site.com ones.
looking again, it looks like your right...my bad...i've just never seen a http link that used that syntax...started assuming too much...
now my dip-shitness is here for all the world to see...
now my dip-shitness is here for all the world to see...
| QUOTE (pelago @ Feb 5 2004, 03:57 PM) |
| Actually I think the change only gets rid of the (little used) http://username:password@site.com-style URLs, not the ftp://username:password@site.com ones. |
Well... it's not little used in my case as I have all my users set up to log onto webbased email from home that way.. and also other webbased protected sites that I set up for the company use... I say it's a real kick in the dick to me.. especially when all them start calling me (waking me from my sleep at my desk) asking 'why won't my email work from home.. blah blah.. oh the torment.. oh the toil.. oh the .. thanks for throwing a wrench in the machine MS...
Awe, did someone wake you up from your nap? 
does anyone still use explorer? with all the better alternatives out there i dont understand the reason to keep it.
but thats just me...
DrunkPenguin
but thats just me...
DrunkPenguin
| QUOTE (DrunkPenguin @ Feb 5 2004, 08:36 PM) |
| does anyone still use explorer? with all the better alternatives out there i dont understand the reason to keep it. but thats just me... DrunkPenguin |
When you are supporting over 50 users in a work invironment... you really want them all on the same thing that is the easyiest to install (in this case, since it's installed with the OS, it is the easiest)... and yes I use network ghosting and RIS services, however I also cover 4 branches within a 800 mile radius and I don't really want to go spending all my time on the road... so from my perspective, using an alternative would create not only the extra work of installing different software, but would also require me to retrain all those people on using the new browser (yes even if it worked EXACTLY the same, they would still need retrained), but I would also have to deal with all those tech support calls of them saying 'how do I do this' and 'this doesn't work in this new browser-thingy'.. so a different browser isn't much of an alternative...
You know why they've done this, though? It's to stop scams where people send fake emails inviting people to login to URLs like:
http://www.natwest.co.uk:cgi-bin@12345678/account.php
Recipients reading such a URL will assume it is on the NatWest online banking website, and will happilly type in their password, which will instead go to the scammers. It takes a close look before you realise this is not actually on the NatWest site, as many people don't know about the username:password@ thing.
I think I'd rather have the inconvenience of a few genuine username:password@ sites not working, that the problem of the scam above, which caused lots of problems.
http://www.natwest.co.uk:cgi-bin@12345678/account.php
Recipients reading such a URL will assume it is on the NatWest online banking website, and will happilly type in their password, which will instead go to the scammers. It takes a close look before you realise this is not actually on the NatWest site, as many people don't know about the username:password@ thing.
I think I'd rather have the inconvenience of a few genuine username:password@ sites not working, that the problem of the scam above, which caused lots of problems.
| QUOTE (pelago @ Feb 6 2004, 06:55 AM) |
| You know why they've done this, though? It's to stop scams where people send fake emails inviting people to login to URLs like: http://www.natwest.co.uk:cgi-bin@12345678/account.php Recipients reading such a URL will assume it is on the NatWest online banking website, and will happilly type in their password, which will instead go to the scammers. It takes a close look before you realise this is not actually on the NatWest site, as many people don't know about the username:password@ thing. I think I'd rather have the inconvenience of a few genuine username:password@ sites not working, that the problem of the scam above, which caused lots of problems. |
I agree with that to an extent, but a better solution would be to take these spamers out and chop their hands off...
Another form of this exploit is slightly worse. Using the same user:pwd@site trick, you can put some characters in the username that cause IE to regard the string as terminated. Therefore all you see in the status bar when hovering over a link is the username, and when u click the link, that's what goes in the address bar too.
e.g.
http://fakesite.com<illegal char here>:blah@blah.com
will just look like
http://fakesite.com
e.g.
http://fakesite.com<illegal char here>:blah@blah.com
will just look like
http://fakesite.com
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.