Article ID: 834489 - View products that this article applies to.
This article is intended to notify Web site administrators and IT professionals about the behavior of Internet Explorer when user information is included in a Web site address (HTTP or HTTPS URL).
By default, versions of Windows Internet Explorer that were released starting with the release of security update 832894 do not support handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs. The following URL syntax is not supported in Internet Explorer or in Windows Explorer:
http(s)://username:password@server/resource.extThis article is intended to notify you of this default behavior of Internet Explorer. If you include user information in HTTP or HTTPS URLs, we recommend that you explore the workarounds that are described in this article. For more information about the 832894 security update, visit the following Microsoft Web site:
Background informationInternet Explorer versions 3.0 to 6.0 support the following syntax for HTTP or HTTPS URLs:
http(s)://username:password@server/resource.extYou can use this URL syntax to automatically send user information to a Web site that supports the basic authentication method.
A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the following URL appears to open http://www.wingtiptoys.com but actually opens http://example.com:
http://firstname.lastname@example.orgNote In this case, Internet Explorer 6 Service Pack 1 (SP1) and Internet Explorer 6 for Microsoft Windows Server 2003 only display "http://example.com" in the Address bar. However, earlier versions of Internet Explorer display "http://email@example.com" in the Address bar.
Additionally, malicious users can use this URL syntax together with other methods to create a link to a deceptive (spoofed) Web site that displays the URL to a legitimate Web site in the Status bar, Address bar, and Title bar of all versions of Internet Explorer.
For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/833786/ )Steps that you can take to help identify and to help protect yourself from deceptive (spoofed) Web sites and malicious hyperlinks
Explanation of the change in the default behaviorTo mitigate the issues that are discussed in the "Background information" section, Internet Explorer and Windows Explorer no longer support handling HTTP and HTTPS URLs of this form. Windows Explorer and Internet Explorer do not open HTTP or HTTPS sites by using a URL that includes user information. By default, if user information is included in an HTTP or an HTTPS URL, a Web page that has the following title appears:
Invalid syntax errorNote This change in the default behavior does not affect other protocols. For example, you can still include user information in an FTP URL after you install the 832894 security update.
This change in the default behavior is also implemented by security updates, service packs, and versions of Internet Explorer that were released starting with the release of security update 832894.
Workarounds for users
URLs that are opened by users who type the URL in the Address bar or click a linkIf users typically type HTTP or HTTPS URLs that include user information in the Address bar, or click links that include user information in HTTP or HTTPS URLs, you can work around this new functionality in Internet Explorer in two ways:
Workarounds for application and Web site developers
URLs that are opened by objects that call WinInet or Urlmon functionsFor objects that use an HTTP or an HTTPS URL that includes user information when they call a WinInet or Urlmon function such as InternetOpenURL, rewrite the object to use one of the following methods to send user information to the Web site:
http://firstname.lastname@example.orgThe user still arrives at the redirected Web site. In this example, the user arrives at http://www.example.com.
http://www.ietf.org/rfc/rfc2965.txtTo see an example of how to use Visual Basic to read and write HTTP cookies in an ASP.NET Web program, visit the following Microsoft Web site:
How to disable the new behavior or to use it in other programsYou can set registry values to use this new behavior in other programs that host the Web browser control or to disable this new behavior for Windows Explorer and Internet Explorer.
How programs that host the Web browser control can use this new default behavior to handle user information in HTTP or in HTTPS URLsBy default, this new default behavior for handling user information in HTTP or HTTPS URLs applies only to Windows Explorer and Internet Explorer. To use this new behavior in other programs that host the Web browser control, create a DWORD value named SampleApp.exe, where SampleApp.exe is the name of the executable file that runs the program. Set the DWORD value's value data to 1 in one of the following registry keys.
How to disable the new default behavior for handling user information in HTTP or HTTPS URLsTo have us disable the new default behavior in Windows Explorer and Internet Explorer for you, go to the "Fix it for me" section. If you prefer to fix this problem yourself, go to the "Let me fix it myself" section.
Fix it for me
To fix this problem automatically, click the Fix it button or link. In the File Download dialog box, click Run and then follow the steps in the Fix it Wizard.
Fix this problem
Microsoft Fix it 50642
Then, go to the "Did this fix the problem?" section.
Let me fix it myselfTo disable the new default behavior in Windows Explorer and Internet Explorer, create iexplore.exe and explorer.exe DWORD values in one of the following registry keys and set their value data to 0.
Did this fix the problem?
For an explanation of the standard URL syntax for HTTP or HTTPS URLs, visit the following Internet Engineering Task Force (IETF) Web sites:
RFC 1738: Uniform Resource Locators (URL)Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
RFC 2396: Uniform Resource Identifiers (URI): Generic Syntax
RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1
Article ID: 834489 - Last Review: June 28, 2011 - Revision: 12.1