https://www.exploit-db.com/exploits/19473
https://www.securityfocus.com/bid/87772
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199908-053

InternetExplorer5.0版本记录URL历史记录中FTP服务器上的用户名和密码，（1）本地用户利用从其他用户的index.dat读取信息，或者（2）当用户鼠标移动至链接上时，被物理窥探(“shouldersurfing”)的人利用从状态栏上读取信息。

Microsoft Internet Explorer 5.0 for Windows 2000/Windows NT 4 FTP Password Storage Vulnerability

source: http://www.securityfocus.com/bid/610/info

FTP usernames and passwords for sites accessed via Internet Explorer 5.X are stored (cleartext) in history files stored under WinntProfiles[Username]HistoryHistory.IE5index.dat and WinntProfiles[Username]HistoryHistory.IE5MSHist<date>..index.dat. By default, the WinntProfiles[Username]History directories are secured with ACLs to allow Full Control for System, the Administrators group, and the given Username. The index.dat files, however, are created with Everyone:Full Control permissions.

Because the "Bypass Traverse Checking" right is assigned by default to the Everyone group, any user with access to the host can read any other user's index.dat files. 

To bypass traverse checking and access another user's index.dat files, reference the absolute filename. For example, to search for all index.dat files belonging to the "administrator" account, issue the following command from a command prompt:

find "//"<winntprofilesadministratorhistoryhistory.ie5index.dat

来源:XF
名称:nt-ie5-user-ftp-password(3289)
链接:http://xforce.iss.net/static/3289.php