SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Firefox Vendors:   Mozilla.org
Mozilla Firefox Password Manager Can Disclose Passwords and Other Form Values to Remote Websites
SecurityTracker Alert ID:  1017271
SecurityTracker URL:  http://securitytracker.com/id/1017271
CVE Reference:   CVE-2006-6077   (Links to External Site)
Updated:  Feb 24 2007
Original Entry Date:  Nov 22 2006
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 1.5.0.10, also 2.0, 2.0.0.1
Description:   A vulnerability was reported in Mozilla Firefox Password Manager. A remote user can obtain saved form password and field values. Some user interaction is required.

The Password Manager does not properly validate web forms when filling in saved form field values (including passwords). A remote user can create a specially crafted form on a web site for which the browser has saved the target user's password. When the user performs an action (such as clicking on a submit button or object), the form values can be sent to a different web site than the user expects.

This vulnerability is being actively exploited as part of some phishing attacks.

Robert Chapin reported this vulnerability.

A proof-of-concept test is available at:

http://www.info-svc.com/news/11-21-2006/rcsr1/

The original bug report is available at:

https://bugzilla.mozilla.org/show_bug.cgi?id=360493

The original advisory is available at:

http://www.info-svc.com/news/11-21-2006/
Impact:   A remote user can cause the target user's saved password and form field values to be sent to an arbitrary site in certain cases, with some user interaction.
Solution:   The vendor has issued a fix (1.5.0.10, 2.0.0.2).

The Mozilla advisory is available at:

http://www.mozilla.org/security/announce/2007/mfsa2007-02.html
Vendor URL:  www.mozilla.org/security/announce/2007/mfsa2007-02.html (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents


[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC