[原文]Internet Explorer 5.0 records the username and password for FTP servers in the URL history, which could allow (1) local users to read the information from another user's index.dat, or (2) people who are physically observing ("shoulder surfing") another user to read the information from the status bar when the user moves the mouse over a link.
Microsoft Internet Explorer 5.0 for Windows 2000/Windows NT 4 FTP Password Storage Vulnerability
FTP usernames and passwords for sites accessed via Internet Explorer 5.X are stored (cleartext) in history files stored under \Winnt\Profiles\[Username]\History\History.IE5\index.dat and \Winnt\Profiles\[Username]\History\History.IE5\MSHist<date>..\index.dat. By default, the \Winnt\Profiles\[Username]\History directories are secured with ACLs to allow Full Control for System, the Administrators group, and the given Username. The index.dat files, however, are created with Everyone:Full Control permissions.
Because the "Bypass Traverse Checking" right is assigned by default to the Everyone group, any user with access to the host can read any other user's index.dat files.
To bypass traverse checking and access another user's index.dat files, reference the absolute filename. For example, to search for all index.dat files belonging to the "administrator" account, issue the following command from a command prompt: