CVE-1999-1235 in Internet Explorer
Summary
by MITRE
Internet Explorer 5.0 records the username and password for FTP servers in the URL history, which could allow (1) local users to read the information from another user's index.dat, or (2) people who are physically observing ("shoulder surfing") another user to read the information from the status bar when the user moves the mouse over a link.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/19/2026
This vulnerability in Internet Explorer 5.0 represents a critical security flaw in how the browser handles authentication credentials for file transfer protocol connections. The issue stems from the browser's improper handling of FTP URLs that contain embedded username and password information, which are stored in the browser's index.dat file. This storage mechanism creates a persistent security risk because the authentication data remains accessible even after the user has completed their session, effectively creating a credential repository that persists across browser sessions and user contexts.
The technical implementation of this vulnerability allows for two distinct attack vectors that exploit the insecure storage of authentication information. The first vector involves local privilege escalation where a malicious user with access to another user's system can directly read the index.dat file to extract stored FTP credentials. This attack directly violates the principle of least privilege and demonstrates poor access control implementation. The second vector exploits the browser's status bar display functionality, where credentials are visible as users navigate through links, creating a shoulder surfing attack surface that violates security principles of user privacy and information protection. Both attack vectors rely on the fundamental flaw that user credentials are stored in plaintext within browser history files.
The operational impact of this vulnerability extends beyond simple credential theft to encompass broader security implications for enterprise environments where multiple users share systems or workspaces. Organizations face increased risk of unauthorized access to external file servers, potential data exfiltration, and compromised network security posture. The vulnerability particularly affects environments where users frequently access multiple FTP servers or where sensitive data is transferred through these protocols, creating a significant attack surface that can be exploited by both internal and external threat actors. This flaw undermines the security model of web browsers as trusted intermediaries between users and network resources.
Mitigation strategies for this vulnerability require both immediate remediation and long-term architectural changes to prevent credential storage in insecure locations. Users should be advised to avoid embedding credentials in FTP URLs and to manually clear browser history and cache regularly. System administrators should implement monitoring for unauthorized access to index.dat files and consider network segmentation to limit access to sensitive FTP resources. The vulnerability highlights the importance of proper input validation and credential handling as outlined in CWE-546, which addresses the insecure storage of credentials, and aligns with ATT&CK technique T1555.003 for credentials from password stores. Organizations should also consider implementing additional security controls such as mandatory credential rotation, network-based access controls, and user education regarding secure browsing practices to prevent exploitation of this persistent vulnerability.