Closed
Bug 155030
Opened 22 years ago
Closed 3 years ago
Moz should not allow reposting password forms
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: nicklas, Unassigned, NeedInfo)
References
Details
(Keywords: helpwanted, sec-low, testcase, Whiteboard: [sg:low local])
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529 BuildID: 2002063000 I think it's a security risk to be able to repost a password form using values stored in cache. That way an unauthorized user could press Back, Repost and then use the other users account. Reproducible: Always Steps to Reproduce: 1. Log in to a (php) site (with sessions) with the <input>-types text and password 2. Log out from the site 3. Press back and then Repost
Comment 1•22 years ago
|
||
I confirmed that Mozilla does resubmit the password using Bugzilla's login form. This even works at http://www.bankofamerica.com/, which has disabled password manager using autocomplete=off. Autocomplete=off also makes the back button not restore the username and password fields, which I think is intentional. I'm surprised that banks haven't noticed this bug.
Severity: normal → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Bad idea to repost password fields → Moz should not allow reposting password forms
Updated•22 years ago
|
Priority: -- → P2
Updated•22 years ago
|
Group: security?
Comment 2•22 years ago
|
||
Nominating...
Comment 4•22 years ago
|
||
Any idea on what it takes to fix this one?
Comment 5•22 years ago
|
||
adding Kevin and Alex to the bug to help out jkeiser.
Comment 6•22 years ago
|
||
looks like many banks are more clever than the Bank of America. They use session cookies and so on and do not rely on the browser alone to protect the passwords. at least my credit union does a good job in spite of this bug.
Comment 7•22 years ago
|
||
Any status or ETA for a fix with this?
Comment 8•22 years ago
|
||
hopefully, tommorow i can tell. i need to collect information first. on it.
Comment 9•22 years ago
|
||
i don't get the "Confirm" dialog anymore with recent builds when i try to go back. tested with builds made today 07-02-2002
Comment 10•22 years ago
|
||
tested with bugzilla: after i posted the previous comment, i hit back and in the past usually the "Confirm" dialog ("the page you are trying to view contains POSTDATA ...") was displayed immediatelly. With today's build, not anymore. Try this with the most recent build. First after you go back and try to refresh, the "Confirm" dialog will appear, this makes ne think that we have a pretty major problem. As long as this problem persists, this bug 155030 is invalid. i will try to see when the regression happened and localize the change that caused it. i will also open a new bug and make this one depend on the new bug.
Comment 11•22 years ago
|
||
maybe is not a bug at all that we show that dialog first when the user tries to refresh.
Comment 12•22 years ago
|
||
oops: no matter how things turn out to be, this bug is still valid
Comment 13•22 years ago
|
||
Why is this marked security confidential? Is this exploitable by malicious websites?
Comment 14•22 years ago
|
||
is more likely a problem if someone uses a page where he logged in, then that someone is logging out and then is leaving his PC unattended, someone else could go back in the history and log in without problems.
Comment 15•22 years ago
|
||
That sounds like a bug in the user. It doesn't sound any more of a security exploit than a user who lets a bad guy stand over his shoulder and watch him type in his password. I can't see any good reason to keep this bug closed, especially as you try to solicit help in fixing it.
Comment 16•22 years ago
|
||
yeah, well i can't do anything about it. i'm only on the CC list and was added today. to be honnest, i have a problem everytime i hit one of this bugs. i kinda own all new form submission bugs, but as soon as i'm removed from the bug and the bug is marked security-sensitive, i cannot access it anymore.
Comment 17•22 years ago
|
||
OK, i found out what is the problem with the "Confirm" dialog (see comment #10). Here is the explanation: The "Confirm" dialog appears only in the case that the amouts of storage space for cached content (memory and disk together) is not big enough to keep the page that is received as a result of a POST action(method). So, no matter which cache option is chosen, the only thing that matters are the settings for memory and disk cache space. Now i think that the average user will not even know what the hell means to setup the amounts of storage space for caching. Maybe the importance of this bug should be revised by ADT.
Comment 18•22 years ago
|
||
NICKLAS BJORK: have you turned the amounts of storage space for caching (memory and disk) to 0? Do you run without cache? (see previous comment for exaplanation)
Comment 20•22 years ago
|
||
The size of the cache does not matter. I can make Mozilla repost the password using Ctrl+R even if the page is still cached for session history.
Comment 21•22 years ago
|
||
Is there any way to take advantage of this problem without having physical access to the machine? Could this be the basis for a plausible remote exploit? If so, then this is serious, otherwise not so serious. Jesse, any thoughts?
Comment 22•22 years ago
|
||
of course, if you hit CTRL+R you will re-request the page. we just lowered the impact to ADT2, that was the reason for the arguments in comment 17. the bug is still on the major radars.
Comment 23•22 years ago
|
||
There are only two possibilities I can see here: (a) [FIX] *never* allow reposting of POST data when there is an input type=password among the data (b) [EVANG] tell the server manufacturers they need to send the Cache-Control: no-store or Cache-Control: no-cache headers, which seems like a better solution--having server owners deal with this keeps things flexible for other web developers who might want to allow back and forward to work on such pages. Does IE not have this problem? I bet it does.
Comment 24•22 years ago
|
||
IE has the same problem (with Ctrl+R) you get the same result.
Comment 25•22 years ago
|
||
Alexandru: Does IE have the same problem if AUTOCOMPLETE="OFF" is specified on the form?
Comment 26•22 years ago
|
||
Exploiting this bug requires having physical access to the machine. Does Cache-Control prevent reposting? Even if it does, I'm not sure that webmail providers can use it (does it allow form data like typed e-mails to be kept session history?), and many will choose not to use it because it makes their site slower. IMO, it's reasonable for a user to assume that clicking "log out" is sufficient even in an Internet cafe. I think we should treat this as a bug rather than an evangelism issue. It's not serious, but fixing it would make Mozilla a better choice for Internet cafes and might make banks like us more.
Comment 27•22 years ago
|
||
I just logged into Fidelity, BofA and Yahoo mail. When I use the Back button to go back to login none of these sites have my password filled in and so I can't resubmit to login. With BofA if I sign out then use my back button, my password isn't there either, to resubmit. On Fidelity if I sign out then use my back button, it refreshes the signin page, with no fields filled in. But maybe I don't get how to make this bug happen...I agree users should have the burden to logout but if you can post a form with their data when they *didn't* ask for mozilla to save the data, that's not good.
Comment 28•22 years ago
|
||
There is a very real problem here, though the server can (and should) fix it. The problem is not just the repost; the problem is that the password data is stored in memory, in plaintext, for these cached pages. Thus an application could conceivably go to the cached postdata, even if the data was not saved/restored, and find the plaintext password. Server Fix: Cache-Control header can be sent on just a single page (and no others)--so it can be sent on the affected login page. Webmail applications and other login sensitive applications in general should be doing this anyway--they should not depend on behavior on the client. And since the problem happens in IE as well, the servers *need* to fix this. Client Fix: Trigger on input type=password or autocomplete="off" and do not cache the page at all in that case (or perhaps just do not cache the URL or network data. It makes sense from a certain paranoid POV to do this--but servers should still be fixed if they want to deal with security problems. Not caching these pages is counter-intuitive and adds yet another anomaly to our already undocumented caching behavior. CONSEQUENCES: You *will not* be able to go back to *any* page that was submitted with autocomplete="off" or input type="password" once it has been purged from the cache (and I am assuming we can cache the page but not the network data, which might not be possible). You will never see the page again.
Status: NEW → ASSIGNED
Comment 29•22 years ago
|
||
I agree with JKeiser. A server side solution is a more appropriate one. The client side solution proposed above will only add more confusion and create a slew of session history bugs. I thought that when a password field is encountered, we just did not store its value in forms manager as well as in layout (nsILayoutHistoryState) irrespective of whether the page had no-cache or no-store headers. Was that a wrong assumption I made? or Did that behavior regress lately.
Comment 30•22 years ago
|
||
My $.2: Server Fix: Agree, banks, retailers, etc. are also responsible for their customers security. Relying on browsers capabilities only, should not be considered enough. Many web developers are aware of that and that is why this exploit does not work in most of the cases. Client Fix: We could warn the user that the result page of a post is not cached. However, I think that creating a fix that introduces such a special cache behaviour is not really a top importance issue. Rahter the web developers should be evangelized. Even if we create a fix like the one described by John, IE will still be a problem for them. Exploiting this: I can imagine that in big offices many have physical acces to machines that are not theirs. I used to work in a company that had aprox. 500 cublicles on a floor. One might observe who is a BoA customer for example, and learn their lunch habits + leaving their machines unattended (that many people really do) and voila, there is a possibility.
Comment 31•22 years ago
|
||
re comment 29: Form manager has nothing to do with any of this -- I don't see any mention of the use of form manager in this bug report. But to answer your specific question, you are correct that form-manager does not save password fields. Of course password manager does save such fields, but not if autocomplete=off.
Comment 32•22 years ago
|
||
Radha: yes, password fields aren't stored for save/restore or form manager, but we store the POST data in the session history, and the password is implicitly stored there as part of that data. The Cache-Control headers should take care of that, right?
Comment 33•22 years ago
|
||
The cache control headers *do not* take care of postdata in session history. Session history holds a handle to the Postdata (nsIInputStream) for all pages irrespective of what cache control flags the page has or any flags the password field may have. But note that session history holds this handle in memory which is independent of disk cache or memory cache or layout. The cache control flags only attribute towards saving or restoring nsILayoutHistoryState, but does nothing for postdata.
Comment 34•22 years ago
|
||
OK, so this is in fact a client problem as well as server. It seems to me that Cache-Control: no-store *should not* store the POST data, as specified in the HTTP 1.1 RFC: http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.2 "If sent in a response, a cache MUST NOT store any part of either this response or the request that elicited it." We should not be storing POST data or (my personal opinion) even the history data, at least the GET part. But the GET part is debatable.
Comment 35•22 years ago
|
||
Whenever you use the back button on a cache-control site, you're prompted to repost, right? (I don't have a bank login to test.) Cache-controlling the first page out of session history isn't an attractive option, because it breaks the back button while allowing no way to repost. I think a site can keep passwords from being reposted simply by making the login cgi redirect to a GET page. I still think we should fix this bug in order to protect users of less paranoid sites. "Cache-control should keep all post data out of session history" should be a separate, less severe, and possibly highrisk (due to compat) bug.
Comment 36•22 years ago
|
||
OK, so what you're saying is we need to cache the page but we need to remove the POST information from the cache so that the user cannot log back in. So we either create a new Cache-Control directive, or we do this on *all* pages resulting from posts with autocomplete=off or input type=password. I think a new Cache-Control directive might be better, like Cache-Control: no-store-request or something. But given reality we might have to do the latter and accept that users will be totally unable to get back to these pages when they have their cache turned off or pages expire--and this is behavior server owners may not have anticipated. If we do that we may as well fix no-store, which is no-cache plus don't-store-post-data-and-stuff. That's precisely what no-store is for. Sites that don't want such a paranoid behavior just use Cache-Control: no-cache instead. The hard part of fixing no-store will be removing the data from the cache and showing a page explaining why nothing can be loaded, and that's what we have to do for the proposed fix here too.
Comment 37•22 years ago
|
||
bug 157387 has a suggestion addressing this issue.
Comment 38•22 years ago
|
||
Unfortunately, that suggestion wouldn't fix this issue. This issue is more fundamental--the POST request *has* to contain the password. When you save the POST request you either save all or nothing. If you save any less than the entire request, then you can't use it to repost.
Comment 39•22 years ago
|
||
when do we believe we'd have a potential fix for this one?
Whiteboard: [ADT2 RTM] → [ADT2 RTM] [ETA Needed]
Comment 40•22 years ago
|
||
I have spoken to Jaime and explained several facts that make this a difficult choice whether to put into the product: 1. We can fix this, but if we do so then an already-logged-in user will be completely unable to go back to the first page he logged into. This is often the main page, the control panel if you will, so it is a real loss. 2. Sites *can* fix the problem on their side with foresight and evangelism. 3. IE already does it, so they need to fix it anyway. Without (1), (2) and (3) would not be sufficient, but (1) means we would cause usability problems by fixing the security problem.
Updated•22 years ago
|
Whiteboard: [ADT2 RTM] [ETA Needed] → [ADT2 RTM]
I think this bug should be opened and we should start site evangelism. The problem here affects IE as well as us, and most importantly it's not something that can be automatically exploited. The only risk of having this bug open is that someone will read it and then decide to try stealing their neighbour's bank login. The potentially downside is fairly small I'd say.
Updated•22 years ago
|
Severity: critical → normal
Whiteboard: [ADT2 RTM] → [ADT2 RTM][sg:publish]
Comment 42•22 years ago
|
||
John, could you please file an evangelism bug that describes what sites should be doing? Should we do any client fix?
Group: security?
Comment 43•22 years ago
|
||
Steps to Reproduce: 1. Log in to a (php) site (with sessions)such as www.bofa.com and Bugzilla with the <input>-types text and password 2. Log out from the site 3. Press back and then Repost
Keywords: testcase
Comment 44•22 years ago
|
||
An evang document could encourage sites to make the login cgi redirect using GET. (Encouraging sites to use cache-control: no-store seems like a bad idea to me, and I don't think we'd be successful trying to introduce a new no-store-request header.) But since many site owners won't see the evang document or won't go through the process of rewriting their login cgis, I still think Mozilla should disallow reposting forms containing password fields. Thanks to caching, it's rare that Mozilla needs to repost a form, so I don't think disallowing reposting password forms will cause problems.
Comment 45•22 years ago
|
||
nsbeta1-. John is overloaded with higher priority issues.
Comment 46•20 years ago
|
||
-> me Adding this to my 1.8 list... not sure if I'll get to it, but I think this would be an excellent bug to resolve.
Assignee: john → darin
Severity: normal → major
Status: ASSIGNED → NEW
Priority: P2 → --
Target Milestone: Future → mozilla1.8alpha2
Updated•20 years ago
|
Target Milestone: mozilla1.8alpha2 → mozilla1.8beta
Updated•20 years ago
|
Keywords: helpwanted
Comment 47•19 years ago
|
||
I'm not going to have time to change anything here. Patches welcome.
Target Milestone: mozilla1.8beta1 → Future
Comment 48•19 years ago
|
||
i'm fairly certain this will annoy me (and my company's product), so a way to control the behavior (pref or build flag, pref is prefered) would be appreciated. changing the pref would of course not apply to things that have already happened.
Comment 49•19 years ago
|
||
timeless: as i said before, "patches welcome" :-)
Updated•18 years ago
|
Whiteboard: [ADT2 RTM][sg:publish] → [ADT2 RTM][sg:want]
Updated•18 years ago
|
Whiteboard: [ADT2 RTM][sg:want] → [sg:want]
Updated•18 years ago
|
Assignee: darin → form-submission
QA Contact: vladimire → ian
Target Milestone: Future → ---
Updated•15 years ago
|
Whiteboard: [sg:want] → [sg:low local]
Comment 51•15 years ago
|
||
Hmm. So can someone describe to me IE's behavior here?
Comment 53•15 years ago
|
||
IE has the same behaviour. You can use the Back button to Repost. Doing a redirect to GET after POST also prevents IE from caching the POST data.
Updated•15 years ago
|
Assignee: form-submission → nobody
QA Contact: ian → form-submission
Assignee | ||
Updated•5 years ago
|
Component: HTML: Form Submission → DOM: Core & HTML
Comment 54•3 years ago
|
||
Hey Jesse,
Can you still reproduce this issue or should we close it?
Flags: needinfo?(jruderman)
Comment 55•3 years ago
|
||
Marking this as Resolved > Incomplete since the last activity on this issue was 12 years ago and it might not be relevant anymore.
Feel free to re-open if the issue is still reproducible on your end in the latest FF versions.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•