Re: Password Flaw also in Firefox 1.5.08. Was: Big Flaw in Firefox 2: Password Manager Bug Exposes Passwords

To: Michael Scheidell <scheidell@xxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx, fash1on@xxxxxxxxx
Subject: Re: Password Flaw also in Firefox 1.5.08. Was: Big Flaw in Firefox 2: Password Manager Bug Exposes Passwords
From: Juha-Matti Laurio <juha-matti.laurio@xxxxxxxx>
Date: Thu, 23 Nov 2006 20:23:46 +0200 (EET)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Netscape Browser version 8.1.2 is confirmed as affected too.
Vendor was contacted on 23th november, 2006.

When visiting the PoC address the following URL (Chapin Information Services - 
Google Search) was generated:
http://www.google.com/search?q=Chapin+Information+Services&loginuser=testuser&loginpass=pass&x=467&y=642
listing the Username 'testuser' and Password 'pass' as part of URL too.

It is required that user will accept the Save New Passcard window with 'OK' and 
option Fill & Submit when visiting the site again.

Workaround:
Use "Never save login information for this site" option.

Password Manager is known as Passcard Manager in Netscape.

Juha-Matti Laurio,
Networksecurity.fi

Michael Scheidell <scheidell@xxxxxxxxxx> wrote:


Looks like this also affects FireFox 1.5.08.

Prev by Date: Re: Big Flaw in Firefox 2: Password Manager Bug Exposes Passwords
Next by Date: Re: SolpotCrew Advisory #10 - phpBB XS (phpbb_root_path) Remote File Include
Previous by thread: Password Flaw also in Firefox 1.5.08. Was: Big Flaw in Firefox 2: Password Manager Bug Exposes Passwords
Next by thread: [ECHO_ADV_61_2006] a-ConMan <= v3.2beta Remote File Inclusion
Index(es):
- Date
- Thread