XMLHTTP call fails for URLs with embedded user credentials (832414)
The information in this article applies to:
- Microsoft XML 2.6
- Microsoft XML 3.0
- Microsoft XML 4.0
Note The update that is described in this article is superseded by the
update that is described in the following Microsoft Knowledge Base article:
887606 MSXML uses cached credentials incorrectly
SYMPTOMSYou make XMLHTTP calls with the following formats:
Xmlhttp.open("GET",
"http://someone:mypass@www.northwindtraders.com/default.asp",
false, "", "");
Xmlhttp.open("GET",
"http://someone:mypass@www.northwindtraders.com/default.asp",
false, "someone", "passwd");
Xmlhttp.open("GET",
"http://www.northwindtraders.com/default.asp",
false, "someone", "mypass");
The call fails, and you receive the following error message: Invalid Syntax Error However, the following call is
successful: Xmlhttp.open("GET", "http://www.northwindtraders.com/default.asp", false, "", ""); CAUSEThe Microsoft Internet Explorer security update that is
described in the following Microsoft Knowledge Base article bans URLs with
embedded user credentials: 832894 MS04-004: Cumulative Security Update for Internet Explorer . RESOLUTIONA supported fix is now available from Microsoft. This fix
will only enable the scenario where user credentials are passed as parameters
in the Open() method call. This fix will not enable scenarios where the user
credentials are embedded in the URL. Note This fix is only for the following versions of the Microsoft XML
Parser (MSXML):
- Microsoft XML 2.6
- Microsoft XML 3.0 Service Pack 2
- Microsoft XML 3.0 Service Pack 3
- Microsoft XML 3.0 Service Pack 4
- Microsoft XML 4.0 Service Pack 2
For additional information about how to obtain the
updated files and for additional details, click the following article number to
view the article in the Microsoft Knowledge Base: 887606
MSXML uses cached credentials incorrectly
WORKAROUNDTo work around this problem, use the following format. Xmlhttp.open("GET", "http://www.northwindtraders.com/default.asp", false, "", ""); STATUSMicrosoft has confirmed that the scenario where user
credentials are passed as parameters in the Open() method call and are not embedded in the URL, is a problem in the
Microsoft products that are listed in the "Applies to" section. REFERENCESFor additional information, see the following Microsoft
Security Bulletin: For additional information,
click the following article numbers to view the articles in the Microsoft
Knowledge Base: 834489
A security update is available
that modifies the default behavior of Internet Explorer for handling user
information in HTTP and in HTTPS URLs
887606 MSXML uses cached credentials incorrectly
269238 INFO: Version List of the Microsoft XML Parser
278674 Determine the Version of MSXML Parser Installed on a Computer
The example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization,
product, domain name, e-mail address, logo, person, places, or events is
intended or should be inferred.
Modification Type: | Minor | Last Reviewed: | 6/1/2006 |
---|
Keywords: | kbfix kbBug KbSECVulnerability KbSECBulletin kbSecurity kbHotfixServer kbQFE KB832414 kbAudDeveloper |
---|
|