MS04-004 updates

Current issue of Woody’s Windows Watch talks about the FUBAR stuff that MS04-004 has caused a number of people. MS04-004 is the one that removes the ability to include username and password in the URL field and has apparently broken a number of applications and sites. So, MS has released an update to the patch, MSKB 831167. The symptoms are described as follows:

Programs that use Wininet functions to post data (such as a user name or a password) to a Web server retry the POST request with a blank header if the Web server closes (or resets) the initial connection request.

Note A POST request has a blank header if its content length is set to 0 or is empty.

Sometimes, this behavior prevents another reset from occurring and permits authentication to complete. However, you may receive an HTTP 500 (Internal server error) Web page if the Web server must have the POST data included when Wininet retries the POST request.

For example, when you submit your user name and password to an SSL-secured Web site by using a form on a HTTPS Web page, Microsoft Internet Explorer may not resend this information to the Web server if the initial connection is closed (or reset).

Leave a Comment