The default bug view has changed. See this FAQ.

javascript urls can steal password data

VERIFIED FIXED in mozilla1.0.1

Status

SeaMonkey
Passwords & Permissions
--
critical
VERIFIED FIXED
15 years ago
13 years ago

People

(Reporter: dveditz, Assigned: Stephen P. Morse)

Tracking

Trunk
mozilla1.0.1

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [adt1 rtm] [ETA 07/30])

Attachments

(5 attachments, 1 obsolete attachment)

(Reporter)

Description

15 years ago
Password manager makes the same kind of host comparing mistake as in bug 152725,
thus javascript urls can steal password data.
(Reporter)

Updated

15 years ago
QA Contact: tpreston → bsharma
(Reporter)

Comment 1

15 years ago
Created attachment 92843 [details]
testcase

This isn't a full exploit, but if you have password manager stores your
bugzilla password then clicking on the link will load that data into a form.
(Reporter)

Comment 2

15 years ago
Created attachment 92854 [details]
scarier testcase -- will reveal your bugzilla password to passers by
(Reporter)

Comment 3

15 years ago
This is definitely a stop-ship.

Talon doesn't support Password Manager, does it?
Keywords: nsbeta1+
Whiteboard: [adt1 rtm]

Updated

15 years ago
Blocks: 143047
Whiteboard: [adt1 rtm] → [adt1 rtm] [ETA Needed]
Target Milestone: --- → mozilla1.0.1
(Assignee)

Updated

15 years ago
Whiteboard: [adt1 rtm] [ETA Needed] → [adt1 rtm] [ETA 7-29]
(Assignee)

Comment 4

15 years ago
Created attachment 93053 [details] [diff] [review]
check to see if scheme supports hostnames
(Reporter)

Comment 5

15 years ago
Should we worry about SINGSIGN_RememberSignonData? Is there a way someone could
*save* a password for another host? If so how bad would that be?
(Assignee)

Comment 6

15 years ago
I had thought about that but couldn't see any problem.  What would an attacker
gain by having you log on as him -- he could simply do that himself.  Also,
before a password is saved, the user must respond affirmatively to a pop-up
alert, so this can't happen without his knowledge.
Status: NEW → ASSIGNED
Comment on attachment 93053 [details] [diff] [review]
check to see if scheme supports hostnames

Hmm, this patch looks oddly familiar. r=mstoltz.
Attachment #93053 - Flags: review+
Created attachment 93119 [details] [diff] [review]
Fix for 0.9.4 branch

Comment 9

15 years ago
Comment on attachment 93053 [details] [diff] [review]
check to see if scheme supports hostnames

a=chofmann for branch and trunk
Attachment #93053 - Flags: approval+

Updated

15 years ago
Keywords: mozilla1.0.1
(Reporter)

Comment 10

15 years ago
Comment on attachment 93053 [details] [diff] [review]
check to see if scheme supports hostnames

I can't think of a specific exploit against RememberSignonData, but it's clear
that the end result is known bad data getting into the password file if the
user clicks the wrong button (or another exploit suppresses the dialog?). I
don't know what an attacker could do with it if he succeeded, either, but bogus
data in such a sensitive spot sets off all my paranoia bells.

sr=dveditz if you file a bug on the RememberSignonData spot, or a bug to
convert wallet uses of nsIIOService to nsIURI. This patch is a stopgap anyway,
you're verifying that the nsIURI returns a host, but the host you actually do
use is gotten from a different method and may not in fact match.
Attachment #93053 - Flags: superreview+
(Assignee)

Comment 11

15 years ago
OK, I agree.  Better safe than sorry.  So I'll add the RememberSignonData patch
here as well.
(Assignee)

Comment 12

15 years ago
Created attachment 93158 [details] [diff] [review]
check in two places
Attachment #93053 - Attachment is obsolete: true
(Assignee)

Updated

15 years ago
Attachment #93158 - Flags: superreview+
Attachment #93158 - Flags: review+
Attachment #93158 - Flags: approval+
(Assignee)

Comment 13

15 years ago
Comment on attachment 93158 [details] [diff] [review]
check in two places

bringing reviews forward:
r=mstoltz
sr=dveditz
a=chofmann

Updated

15 years ago
Keywords: adt1.0.1
Whiteboard: [adt1 rtm] [ETA 7-29] → [adt1 rtm] [ETA 07/30]
(Assignee)

Comment 14

15 years ago
Landed on trunk.
Status: ASSIGNED → RESOLVED
Last Resolved: 15 years ago
Resolution: --- → FIXED

Comment 15

15 years ago
bsharma: can you pls verify this one on the trunk tomorrow? thanks!
Created attachment 93309 [details] [diff] [review]
Patch #2 for 0.9.4 branch - apply this AFTER applying the first one

Comment 17

15 years ago
Verified on 2002-07-30-trunk on Win 2000.

Steps:
1. Saved the bugzilla password in the Password Manager.
2. Ran the attached test case.
3. An exception is thrown in the JS console.
4. Ran the form test case.
5. An exception is thrown in the JS console.
Status: RESOLVED → VERIFIED

Comment 18

15 years ago
adt1.0.1+ (on ADT's behalf) approval for checkin to the 1.0 branch, pending
drivers ' approval. pls check this in asap, then replace the "mozilla1.0.1+"
with "fixed1.0.1". thanks!
Keywords: adt1.0.1 → adt1.0.1+
(Assignee)

Comment 19

15 years ago
Patch checked in on branch.
Keywords: mozilla1.0.1 → fixed1.0.1

Comment 20

15 years ago
a=chofmann for 1.0.1
Group: security?
Group: security?
Group: security
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.