A couple of weeks back, one of my clients pointed out that when he opens files from an FTP site using Internet Explorer (IE) as an FTP client his user name and password is displayed in the status bar at the bottom of his browser window.
I seem to have the same problem with various flavours of Windows (2000, XP and 2003), a variety of IE patch levels, and can repeat it against both Unix and Windows-based FTP servers. I’ve not been able to test with older browser versions but as IE6 is the current version, this is my main concern.
One would think that there would be loads of information out on the ‘net about this but I can’t find much at all (except some reference to the issue in an internetfixes.com tip), which seems to suggest IE6 SP1 fixed this strange behaviour. Indeed, I built a PC with Windows XP SP1 (slipstreamed) and the issue was not there; however it reappeared after I upgraded to Windows XP SP2. I know the password will always be passed over the wire in clear text, and that RFC 2396, which defines the generic syntax for URIs (specifically section 3.2.2) recommends against the use of the format “user:password” in the userinfo field of the URL, but that’s just the way that FTP has been implemented! All I want to do is to prevent IE from displaying it in the status bar. As for ISA Server capturing the details in the proxy server logs… well that’s a whole new can of worms.
The strange thing is that a colleague who is using the same Internet Explorer version as me (6.0.2900.2180.xpsp_sp2_gdr.050301.1519 at update version SP2) can not repeat the issue.
It doesn’t help that IE version numbers don’t seem to increment as patches are applied. There is an interesting discussion of the merits of the Microsoft IE version number approach vs. the Mozilla Firefox approach in the comments to the April IE Security Update is available post on the IEBlog, and for anyone searching for information on the various versions of IE, the version numbers and associated Windows operating system version are all listed in Microsoft knowledge base article 164539. What I can’t find is any information on the fixes which update the last portion of the version number (i.e. from 6.0.2900.2180.xpsp_sp2_rtm.040803-2158 to 6.0.2900.2180.xpsp_sp2_gdr.050301.1519), although Microsoft knowledge base article 824994 does describe the significance of release to manufacturing (RTM), general distribution release (GDR), service pack (SPX) and quick fix engineering (QFE) software update packages and there is an article about the package installer (formerly called update.exe) for Microsoft Windows operating systems and Windows components in the Microsoft Windows Server 2003 TechCenter, which describes the multiple-branch-aware structure used for Microsoft patches.
I’ve spent hours loading patches one by one onto a client to see if the issue is resolved as a side-effect of a posted hotfix but can’t seem to get anywhere on this. The only answers I hear are “use the insert product name here FTP client” (incidentally, my preference is FileZilla) or “use SFTP”. What I’d like to hear is “apply Microsoft update xxxxxx“.