Internet Explorer displays credentials in status bar when used as an FTP client

This content is 19 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A couple of weeks back, one of my clients pointed out that when he opens files from an FTP site using Internet Explorer (IE) as an FTP client his user name and password is displayed in the status bar at the bottom of his browser window.

FTP credentials visible in IE status bar

I seem to have the same problem with various flavours of Windows (2000, XP and 2003), a variety of IE patch levels, and can repeat it against both Unix and Windows-based FTP servers. I’ve not been able to test with older browser versions but as IE6 is the current version, this is my main concern.

One would think that there would be loads of information out on the ‘net about this but I can’t find much at all (except some reference to the issue in an tip), which seems to suggest IE6 SP1 fixed this strange behaviour. Indeed, I built a PC with Windows XP SP1 (slipstreamed) and the issue was not there; however it reappeared after I upgraded to Windows XP SP2. I know the password will always be passed over the wire in clear text, and that RFC 2396, which defines the generic syntax for URIs (specifically section 3.2.2) recommends against the use of the format “user:password” in the userinfo field of the URL, but that’s just the way that FTP has been implemented! All I want to do is to prevent IE from displaying it in the status bar. As for ISA Server capturing the details in the proxy server logs… well that’s a whole new can of worms.

The strange thing is that a colleague who is using the same Internet Explorer version as me (6.0.2900.2180.xpsp_sp2_gdr.050301.1519 at update version SP2) can not repeat the issue.

It doesn’t help that IE version numbers don’t seem to increment as patches are applied. There is an interesting discussion of the merits of the Microsoft IE version number approach vs. the Mozilla Firefox approach in the comments to the April IE Security Update is available post on the IEBlog, and for anyone searching for information on the various versions of IE, the version numbers and associated Windows operating system version are all listed in Microsoft knowledge base article 164539. What I can’t find is any information on the fixes which update the last portion of the version number (i.e. from 6.0.2900.2180.xpsp_sp2_rtm.040803-2158 to 6.0.2900.2180.xpsp_sp2_gdr.050301.1519), although Microsoft knowledge base article 824994 does describe the significance of release to manufacturing (RTM), general distribution release (GDR), service pack (SPX) and quick fix engineering (QFE) software update packages and there is an article about the package installer (formerly called update.exe) for Microsoft Windows operating systems and Windows components in the Microsoft Windows Server 2003 TechCenter, which describes the multiple-branch-aware structure used for Microsoft patches.

I’ve spent hours loading patches one by one onto a client to see if the issue is resolved as a side-effect of a posted hotfix but can’t seem to get anywhere on this. The only answers I hear are “use the insert product name here FTP client” (incidentally, my preference is FileZilla) or “use SFTP”. What I’d like to hear is “apply Microsoft update xxxxxx“.

3 thoughts on “Internet Explorer displays credentials in status bar when used as an FTP client

  1. Mark,
    Have you tried to find out if any Browser Helper Objects are installed for the RTM version that might be exihibiting this behaviour. I am running into issues with RTM version of IE 6+ now rendering VML correctly.


    Trevor Benedict R

  2. Just an update. I solved my issue by upgrading the MSXML Parser to the latest version (4.0) since this was VML related and then restarting the Laptop.


    Trevor Benedict R

  3. Thanks for the suggestions Trevor.

    I’m not sure if my current configuration is exhibiting this problem (I’ve changed jobs and switched PCs since the original post) but I’ll check them out if I notice this again.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.