Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Internet Explorer update Q832894

Status
Not open for further replies.
mwpc

mwpc

Programmer
Apr 28, 2002
53
US
On Feb 2 I installed the MS update Q832894 for Internet Explorer on a pc running win2k.

Today Feb 5, a client in another location was having trouble accessing a website that places the htaccess username & password in the location tag for login, such as:


I tried to access the site, and had the same problem with explorer, but netscape & mozilla worked fine. After I removed Q832894, the website could be accessed normally with explorer again.
 
Sort by date Sort by votes
One of the vulnerabilities that that patch resolves is
A vulnerability that involves the incorrect parsing of URLs that contain special characters. When combined with a misuse of the basic authentication feature that has "username:password@" at the beginning of a URL, this vulnerability could result in a misrepresentation of the URL in the address bar of an Internet Explorer window. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page that had a specially-crafted link. The attacker would then have to persuade a user to click that link. The attacker could also create an HTML e-mail message that had a specially-crafted link, and then persuade the user to view the HTML e-mail message and then click the malicious link. If the user clicked this link, an Internet Explorer window could open with a URL of the attacker's choice in the address bar, but with content from a Web Site of the attacker's choice inside the window. For example, an attacker could create a link that once clicked on by a user would display in the address bar, but actually contained content from another Web Site, such as (Note: these web sites are provided as an example only, and both redirect to
The fix for this was to remove the functionality of the "username:password@" in urls for IE.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

VicM
  • Locked
  • Question
Problem updating Windows Explorer
Replies
1
Views
352
Nancycaf
Nancycaf
pjw001
  • Locked
  • Question
Latest Windows Update - End of Service
Replies
2
Views
571
pjw001
pjw001
Flinx
  • Locked
  • Question
unable to update microsoft edge 2
Replies
3
Views
1K
Rick998
Rick998
pjw001
  • Locked
  • Question
Windows 11 File Explorer Preview Pane for PDF files
Replies
2
Views
159
pjw001
pjw001
jmarkus
  • Locked
  • Question
Windows 10 Explorer - Thumbnail Icon View flashing old thumbnails briefly before showing current
Replies
0
Views
108
jmarkus
jmarkus

Part and Inventory Search

Sponsor

Back
Top