Closed Bug 388002 Opened 17 years ago Closed 14 years ago

A password can accidentally be sent to a machine on the internet instead of an intranet machine

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: oyvind.harboe, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; nb-NO; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nb-NO; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4

1. A URL sent to an intranet machine can contain confidential information. This information should not be sent out to the internet. For badly implemented server applications(I've seen a few!), this can even include password in cleartext!

2. If someone visits a company, they can easily hear or see the name of an intranet machine.

3. At some point, this intranet machine will be taken down for maintenance. We'll call the machine "foobar".

4. Meanwhile the malfaiteur has registered an internet domain foobar.com

5. When the client points his browser to the "foobar" intranet machine and it does not exist, the browser will redirect him to foobar.com

6. With a bit of effort, they can make the attack a bit more spiffy with phising pages.

Ask the guys who has "www.localhost.com" what they have picked up over the years!!! :-)

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Resolving unconfirmed bugs older than a year with no activity as INCOMPLETE.  Please reopen or file a new bug if you can still reproduce the bug.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.