New problem after security update! Please advise!

  • Thread starter Thread starter Dave Steele
  • Start date Start date
D

Dave Steele

I have a website based of FLASH. I have a client section
that requires a user name and password. Up until a few
days ago, everything was working great. Now, clients
receive an error.

In flash, using java script, I pass the user/pass like
this:

http://username:[email protected]/client_fold
er

It used to work, but now with a new security issue or
something with explorer, it does not work. Any reason
why? I know that this is not truly a secure way to do
this, however, it works and I am not passing personal
information. Any advice on the resolution of this issue
would be appreciated.

Dave Steele
 
All is explained in...

A security update is available that modifies the default behavior of
Internet Explorer for handling user information in HTTP and in HTTPS URLs
http://support.microsoft.com/?kbid=834489

<paste>
A security update is available that removes support for handling user names
and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs
in Microsoft Internet Explorer. The following URL syntax is no longer
supported in Internet Explorer or in Windows Explorer after you install the
MS04-004 Cumulative Security Update for Internet Explorer (832894):

http(s)://username:password@server/resource.ext

This article is intended to notify you of this change in the default
behavior of Internet Explorer. If you include user information in HTTP or
HTTPS URLs, Microsoft recommends that you explore the workarounds that are
described in this article before you install the 832894 security update. ...

[Why?]

A malicious user might use this URL syntax to create a hyperlink that
appears to open a legitimate Web site but actually opens a deceptive
(spoofed) Web site. For example, the following URL appears to open
http://www.wingtiptoys.com but actually opens http://example.com:

http://[email protected]

Additionally, malicious users [Not you, certainly!] can use this URL syntax
together with other methods to create a link to a deceptive (spoofed) Web
site that displays the URL to a legitimate Web site in the Status bar,
Address bar, and Title bar of all versions of Internet Explorer.
</paste>
--
Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH VSOP

What You Should Know About the Mydoom Worm Variants:
Mydoom.A, Mydoom.B, and Mydoom.C (a.k.a. Doomjuice)
http://www.microsoft.com/security/antivirus/mydoom.asp

Before You Connect a New Computer to the Internet
http://www.cert.org/tech_tips/before_you_plug_in.html
 
Back
Top