W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2004

Re: ftp://user[:pass]@host/ ? Microsoft to Strike IE URL Passwords

From: Peter Watkins <peterw@usa.net>
Date: Sat, 31 Jan 2004 13:49:59 -0500
Message-ID: <401BF8D7.7050508@usa.net>
To: Paul Leach <paulle@windows.microsoft.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Dave Kristol <dmk@acm.org>

Paul,

In brief:
  1) we use ftp://user@host/path at work; will the update break this?
  2) the "0x01" Location display bug seems to provide an attack vector 
for ftp: URLs

KB 834489 makes no mention of ftp:// URLs. At work we have a number of 
users who have bookmarked internal FTP servers as ftp://user@host/path 
in IE. Will this upcoming patch also break user[:pass]@ within ftp: 
URLs? How about other schemes that use the Common Internet Scheme Syntax 
[CISS] outlined in RFC 1738?

As you might guess, I believe it would be nice if KB 834489 were updated 
to explicitly address ftp: and other schemes handled by IE.

And I wonder about the potential for attacks based on ftp: URLs; if the 
IE team's response to the 0x01 is eliminating CISS, then I'd expect them 
to eliminate it throughout IE, affecting more than just http(s) schemes.

It looks like 0x01/CISS is a concern in IE6/XP for ftp: URLs. Some quick 
testing shows that clicking on a link coded as
   <a 
href="ftp://anonymous:www.microsoft.com%01@mirror.cs.wisc.edu/pub/">go</a>
displays in the IE Location bar as "ftp://anonymous:www.microsoft.com" 
-- so presumably if an attacker made their FTP server ignore both 
username and password contents, the attacker could use HTML like
   <a href="ftp://www.microsoft.com%01:bogus@mirror.cs.wisc.edu/pub/">go</a>
or perhaps set up "www" as the anonymous account, ignore the password 
contents, and use an attack URL like
   <a href="ftp://www:microsoft.com%01@mirror.cs.wisc.edu/pub/">go</a>
to trick the intended victim. Sure, "ftp://www.microsoft.com" and 
"ftp://www:microsoft.com" don't look quite right to those of us who are 
RFC-literate (neither has a URI/path), but they might look good enough 
to fool a good number of users (hey, we're dealing with users who still 
double-click any attachment that comes their way).

Thanks & happy new year,

Peter
Received on Saturday, 31 January 2004 13:50:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:27 GMT