Open Bug 312321 Opened 19 years ago Updated 20 days ago

on ftp user:password@site is not hidden in download-managers source column

Categories

(SeaMonkey :: Security, defect)

1.7 Branch
x86
Windows 98
defect
Not set
normal

Tracking

(Not tracked)

People

(Reporter: pbm.de, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (Windows; U; Win98; de-AT; rv:1.7.10) Gecko/20050716
Build Identifier: Mozilla/5.0 (Windows; U; Win98; de-AT; rv:1.7.10) Gecko/20050716

If logging into ftp page the classic way (ftp://user:password@somewhere.com) the
user and password are permanantly visible in download-managers source column
(not whiped after download finished). Same problem with the browsers history
window. This might be a security flaw, cause no one wants username and
corresponding passwords be visible to other users on the machine.
Seems to be independent of OS.

Reproducible: Always

Steps to Reproduce:
1.Type in an ftp address in the classical way: ftp://user:password@ftp.adr
2.Complete address including username/password ist stored in the most recently
visited sites.
3.If a download is started the complete address including username/password is
visible and stored in the source column of download-manager

Actual Results:  
After downloading or looking in site history username/password is still visible
to other users of this machine.

Expected Results:  
User/Password@ should be deleted after download has ended.
User/password@ should not be visible in site history.
The history part is bug 130327
Group: security
Status: UNCONFIRMED → NEW
Depends on: 130327
Ever confirmed: true
Summary: on ftp user:password@site is not hidden in download-managers source column; same in browsers history → on ftp user:password@site is not hidden in download-managers source column
Can you reproduce with SeaMonkey v1.1.9 ?
Can you reproduce with SeaMonkey v2.0a1pre ?
Assignee: dveditz → nobody
Version: unspecified → 1.7 Branch
(In reply to comment #2)
> Can you reproduce with SeaMonkey v1.1.9 ?
> Can you reproduce with SeaMonkey v2.0a1pre ?
> 

Reproducable with SeaMonkey v1.1.9,
not tested with v2.0a1pre
No longer depends on: 130327
See Also: → 130327
You need to log in before you can comment on or make changes to this bug.