Threaded Mode | Linear Mode

***JJoe*** · Oct. 10, 2012, 11:57 PM

Not really a fault.

It may be possible to embed username and password for a resource in a url. Looks like http(s)://username:password@resource.

Evidently your browser recognizes it and $JUMP (unlike $RDIR) allows the browser to see it.

IE dropped support for embed username and password under http(s), http://support.microsoft.com/default.asp...LN];834489 .

Quote:Internet Explorer versions 3.0 to 6.0 support the following syntax for HTTP or HTTPS URLs:
http(s)://username:password@server/resource.ext
You can use this URL syntax to automatically send user information to a Web site that supports the basic authentication method.

A malicious user might use this URL syntax to create a hyperlink that appears to open a legitimate Web site but actually opens a deceptive (spoofed) Web site. For example, the following URL appears to open http://www.wingtiptoys.com but actually opens http://example.com:
http://www.wingtiptoys.com@example.com
Note In this case, Internet Explorer 6 Service Pack 1 (SP1) and Internet Explorer 6 for Microsoft Windows Server 2003 only display "http://example.com" in the Address bar. However, earlier versions of Internet Explorer display "http://www.wingtiptoys.com@example.com" in the Address bar.

Additionally, malicious users can use this URL syntax together with other methods to create a link to a deceptive (spoofed) Web site that displays the URL to a legitimate Web site in the Status bar, Address bar, and Title bar of all versions of Internet Explorer.

Another problem with $JUMP is that you must add something to prevent an infinite loop.

\0&$JUMP(siteb)
A. The browser requests sitea,
B. Proxomitron $JUMPs to siteb,
C. Browser requests siteb,
D. Go To B and start Infinite loop

(^siteb)\0&$JUMP(siteb) doesn't loop.

Assuming the $JUMP works after dismissing the "Confirm" dialog, the browser may allow you to disable the warnings.