Closed Bug 53580 Opened 25 years ago Closed 25 years ago

Mozilla. transmits user/password in referal URL

Categories

(Core :: Networking, defect, P3)

Product:
Core
Component:
Networking
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: 1212mozilla, Assigned: gagan)

References

(
URL
)

Details

(Whiteboard: [rtm++])

Attachments

(7 files)

Fix that checks for prehost and skips it.
1.02 KB, patch
Details | Diff | Splinter Review
Revised patch since ReplaceSubstring doesn't work yet!
1.98 KB, patch
Details | Diff | Splinter Review
Revised fix after scc's suggestion on Substring usage.
1.17 KB, patch
Details | Diff | Splinter Review
Final patch with scc's suggestions.
1.29 KB, patch
Details | Diff | Splinter Review
patch to fix AIX and Solaris bustage...
1.09 KB, patch
Details | Diff | Splinter Review
A little clean up - less casts
1.11 KB, patch
Details | Diff | Splinter Review
Final fix including the last suggestion
1.33 KB, patch
Details | Diff | Splinter Review
If somebody visits a site protected with basic authentication using a url of the form: http://user:password@siteA.domain/ And they then proceed via link from siteA.domain to siteB.domain, the user and password from siteA are transmitted to siteB via the referring URL. In this case the referring url that siteB sees is: http://user:password@siteA.domain/ User and password data needs to be stripped from a URL before it can be used as a referring URL. Netscape 4 does this. Using netscape 4 siteB would see: http://siteA.domain/
Severity: normal → major
Keywords: 4xp
Woohoo - major information leakage. Thanks for noticing this; I'll fix it ASAP. Marking nsbeta3.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Keywords: nsbeta3
Target Milestone: --- → M19
I tested this with Gagan, and it looks like we are filetring username:password out of the referrer field. Marking WORKSFORME. Reporter, are you using a recent build?
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → WORKSFORME
The build I am currently using is:2000091212 (password is x'ed out here...) If I visit http://webstats:xxxxx@www.gcctech.com/stats/ and then click around from there, I get a line that looks like this in my server log: 10.2.1.55 - webstats [27/Sep/2000:07:40:39 -0400] "GET /stats/usage.png HTTP/1.1" 200 2894 "http://webstats:xxxxx@www.gcctech.com/stats/" "Mozilla/5.0 (X11; U; Linux 2.2.5-15 i586; en-US; m18) Gecko/20000912" With Netscape 4, I get "http://www.gcctech.com/stats/" reported in the server logs as the user agent. If I create a file called test.html in my stats directory which has a link to http://www.gccprinters.com/ and access that and follow the links I get the following two lines in my server logs: 10.2.1.55 - webstats [27/Sep/2000:07:49:51 -0400] "GET /stats/test.html HTTP/1.1" 200 81 "-" "Mozilla/5.0 (X11; U; Linux 2.2.5-15 i586; en-US; m18) Gecko/20000912" 10.2.1.55 - - [27/Sep/2000:07:49:59 -0400] "GET / HTTP/1.1" 200 1428 "http://webstats:xxxxx@www.gcctech.com/stats/test.html" "Mozilla/5.0 (X11; U; Linux 2.2.5-15 i586; en-US; m18) Gecko/20000912" (This should cover the case that mozilla is only stripping out the user and password names when you go to a different domain, Mozilla shouldn't know that www.gcctech.com and www.gccprinters.com are actually the same) Let me do this test with the most recent nightly build.
I couldn't get the latest nightly build for linux to start on my system. I had to resort to testing this in windows. The latest nightly build still appears to me to have this problem. From my logs: 10.3.1.65 - webstats [27/Sep/2000:08:24:24 -0400] "GET /stats/test.html HTTP/1.1" 200 81 "-" "Mozilla/5.0 (Windows; U; Win98; en-US; m18) Gecko/20000926" 10.3.1.65 - - [27/Sep/2000:08:24:28 -0400] "GET / HTTP/1.1" 200 1428 "http://webstats:xxxxx@www.gcctech.com/stats/test.html" "Mozilla/5.0 (Windows; U; Win98; en-US; m18) Gecko/20000926"
I created a page that makes it easy to test this problem. See the URL now associated with this bug.
URL: http://mozilla:thing@www.gcctech.com/...
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Reassigning to Gagan in case this problem actually still exists.
Assignee: mstoltz → gagan
Status: REOPENED → NEW
Component: Security: General → Networking
QA Contact: czhang → tever
Finally figured out how to start nightly builds under linux again. Tested with the latest nightly build by visiting: http://mozilla:thing@www.gcctech.com/test/ This bug is still here.
Confirming with Mozilla/5.0 (Windows; U; WinNT4.0; en-US; m18) Gecko/20000928
I see this on Windows 98 (not on the Ben&Jerry site, but I think that's because my proxy strips referers). All/All. Nominating for rtm. Btw, bug 32359 also has a testcase that will show the referer.
Keywords: rtm
OS: Linux → All
Hardware: PC → All
Sounds like there's agreement that this problem really exists. Seems like this should be high priority and critical. Gagan, Mitch, are either of you looking at fixing this for RTM? Is there some mitigating factor that makes this not important?
Whiteboard: [need info]
taking it over.
Status: NEW → ASSIGNED
Whiteboard: [need info] → [rtm need info]
sr=mscott
rtm++
Whiteboard: [rtm need info] → [rtm++]
sr=scc
Fix checked in trunk as well as the branch.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago25 years ago
Resolution: --- → FIXED
I had to back out my changes since Substring didn't turn out to be all that XP, had problems on AIX and Solaris. Am cc'ing scc for his suggestions on how to fix that.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Gagan, did you back your fix out on the branch? Or just on the trunk? If this fix is not on the branch, then it has missed the first N6 candidate build, so we can not take it unless we respin. This bug is in candidate limbo. We will reconsider this fix once we have a candidate in hand, but we can't take this fix before then. PDT marking [rtm+]
Whiteboard: [rtm++] → [rtm+]
sr=scc
I had to back it out on the brance as wellas the trunk. Seems to me that I should go ahead and check this in but I'd wait for you/PDT to clear it. Thx.
PDT marking [rtm++]. This bug is now out of limbo and approved for checkin to the branch. Please check in ASAP.
Summary: Mozilla transmits user/password in referal URL. → Mozilla. transmits user/password in referal URL
Whiteboard: [rtm+] → [rtm++]
Gagan -- looking at the patch code, you assume that the protocol is "http://" (7 characters long). This bug would also show up under https (Any other protocols have user/pass and send a referal?). I believe that with your current fix, a https://user:pass@host.domain/ fail the assertion because "https://" has a length of 8....
Link to the test URL on using https: https://mozilla:thing@www.gcctech.com/test/
Fix checked in
asdf
Status: REOPENED → RESOLVED
Closed: 25 years ago25 years ago
Resolution: --- → FIXED
gagan, you got the cast wrong. It's NS_READABLE_CAST(char, ref) not |char*|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
ok fixed again. thanks scc and dcranford
Status: REOPENED → RESOLVED
Closed: 25 years ago25 years ago
Resolution: --- → FIXED
On WinNT 2000-10-31-14-MN6 build this bug is fixed. Marking VERIFIED.
Status: RESOLVED → VERIFIED
Looks like we are not supposed to mark verified unless it's maked verified in both branch & trunk. Brach - 2000-10-31-14-MN6 - verified.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
Added vtrunk to the keyword
Status: REOPENED → RESOLVED
Closed: 25 years ago25 years ago
Keywords: vtrunk
Resolution: --- → FIXED
QA Contact: tever → benc
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: