DetailPage-MSS-KB

Microsoft small business knowledge base

Article ID: 832414 - Last Review: December 26, 2006 - Revision: 11.5

Hotfix Download Available
View and request hotfix downloads
 
Note The update that is described in this article is superseded by the update that is described in the following Microsoft Knowledge Base article:
887606  (http://support.microsoft.com/kb/887606/ ) MSXML uses cached credentials incorrectly

SYMPTOMS

You make XMLHTTP calls with the following formats:
Xmlhttp.open("GET", 
"http://someone:mypass@www.northwindtraders.com/default.asp", 
 false, "", "");
Xmlhttp.open("GET",
"http://someone:mypass@www.northwindtraders.com/default.asp",
 false, "someone", "passwd");
Xmlhttp.open("GET",
 "http://www.northwindtraders.com/default.asp",
  false, "someone", "mypass");
The call fails, and you receive the following error message:
Invalid Syntax Error
However, the following call is successful:
Xmlhttp.open("GET", "http://www.northwindtraders.com/default.asp", false, "", "");

CAUSE

The Microsoft Internet Explorer security update that is described in the following Microsoft Knowledge Base article bans URLs with embedded user credentials:
832894  (http://support.microsoft.com/kb/832894/ ) MS04-004: Cumulative Security Update for Internet Explorer
.

MORE INFORMATION

Even after you apply the fix that is provided in this article, XMLHTTP calls with URLs in the following formats still fail.
Xmlhttp.open("GET",
"http://someone:mypass@www.northwindtraders.com/default.asp",
 false);
Xmlhttp.open("GET",
"http://someone:mypass@www.northwindtraders.com/default.asp",
 false, "someone", "passwd");
You must apply the fix, and you must also change the URL to the following format.
Xmlhttp.open("GET", "http://www.northwindtraders.com/default.asp", false, "someone", "mypass");

RESOLUTION

A supported fix is now available from Microsoft. This fix will only enable the scenario where user credentials are passed as parameters in the Open() method call. This fix will not enable scenarios where the user credentials are embedded in the URL.

Note This fix is only for the following versions of the Microsoft XML Parser (MSXML):
  • Microsoft XML 2.6
  • Microsoft XML 3.0 Service Pack 2
  • Microsoft XML 3.0 Service Pack 3
  • Microsoft XML 3.0 Service Pack 4
  • Microsoft XML 4.0 Service Pack 2
For additional information about how to obtain the updated files and for additional details, click the following article number to view the article in the Microsoft Knowledge Base:
887606  (http://support.microsoft.com/kb/887606/ ) MSXML uses cached credentials incorrectly

WORKAROUND

To work around this problem, use the following format.
Xmlhttp.open("GET", "http://www.northwindtraders.com/default.asp", false, "", "");

STATUS

Microsoft has confirmed that the scenario where user credentials are passed as parameters in the Open() method call and are not embedded in the URL, is a problem in the Microsoft products that are listed in the "Applies to" section.

REFERENCES

For additional information, see the following Microsoft Security Bulletin:
http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx (http://www.microsoft.com/technet/security/bulletin/MS04-004.mspx)
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
834489  (http://support.microsoft.com/kb/834489/ ) Internet Explorer does not support user names and passwords in Web site addresses (HTTP or HTTPS URLs)
887606  (http://support.microsoft.com/kb/887606/ ) MSXML uses cached credentials incorrectly
269238  (http://support.microsoft.com/kb/269238/ ) INFO: Version List of the Microsoft XML Parser
278674   (http://support.microsoft.com/kb/278674/ ) Determine the Version of MSXML Parser Installed on a Computer
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred.

APPLIES TO
  • Microsoft XML Parser 2.6
  • Microsoft XML Parser 3.0
  • Microsoft XML Core Services 4.0
Keywords: 
kbfix kbbug kbsecvulnerability kbsecbulletin kbsecurity kbhotfixserver kbqfe KB832414
Share
Additional support options
Ask The Microsoft Small Business Support Community
Contact Microsoft Small Business Support
Find Microsoft Small Business Support Certified Partner
Find a Microsoft Store For In-Person Small Business Support