Closed Bug 159484 Opened 18 years ago Closed 18 years ago

javascript urls can steal password data

Categories

(SeaMonkey :: Passwords & Permissions, defect, critical)

defect
Not set
critical

Tracking

(Not tracked)

VERIFIED FIXED
mozilla1.0.1

People

(Reporter: dveditz, Assigned: morse)

References

Details

(Whiteboard: [adt1 rtm] [ETA 07/30])

Attachments

(5 files, 1 obsolete file)

Password manager makes the same kind of host comparing mistake as in bug 152725,
thus javascript urls can steal password data.
QA Contact: tpreston → bsharma
Attached file testcase
This isn't a full exploit, but if you have password manager stores your
bugzilla password then clicking on the link will load that data into a form.
This is definitely a stop-ship.

Talon doesn't support Password Manager, does it?
Keywords: nsbeta1+
Whiteboard: [adt1 rtm]
Blocks: 143047
Whiteboard: [adt1 rtm] → [adt1 rtm] [ETA Needed]
Target Milestone: --- → mozilla1.0.1
Whiteboard: [adt1 rtm] [ETA Needed] → [adt1 rtm] [ETA 7-29]
Should we worry about SINGSIGN_RememberSignonData? Is there a way someone could
*save* a password for another host? If so how bad would that be?
I had thought about that but couldn't see any problem.  What would an attacker
gain by having you log on as him -- he could simply do that himself.  Also,
before a password is saved, the user must respond affirmatively to a pop-up
alert, so this can't happen without his knowledge.
Status: NEW → ASSIGNED
Comment on attachment 93053 [details] [diff] [review]
check to see if scheme supports hostnames

Hmm, this patch looks oddly familiar. r=mstoltz.
Attachment #93053 - Flags: review+
Comment on attachment 93053 [details] [diff] [review]
check to see if scheme supports hostnames

a=chofmann for branch and trunk
Attachment #93053 - Flags: approval+
Keywords: mozilla1.0.1
Comment on attachment 93053 [details] [diff] [review]
check to see if scheme supports hostnames

I can't think of a specific exploit against RememberSignonData, but it's clear
that the end result is known bad data getting into the password file if the
user clicks the wrong button (or another exploit suppresses the dialog?). I
don't know what an attacker could do with it if he succeeded, either, but bogus
data in such a sensitive spot sets off all my paranoia bells.

sr=dveditz if you file a bug on the RememberSignonData spot, or a bug to
convert wallet uses of nsIIOService to nsIURI. This patch is a stopgap anyway,
you're verifying that the nsIURI returns a host, but the host you actually do
use is gotten from a different method and may not in fact match.
Attachment #93053 - Flags: superreview+
OK, I agree.  Better safe than sorry.  So I'll add the RememberSignonData patch
here as well.
Attachment #93053 - Attachment is obsolete: true
Attachment #93158 - Flags: superreview+
Attachment #93158 - Flags: review+
Attachment #93158 - Flags: approval+
Comment on attachment 93158 [details] [diff] [review]
check in two places

bringing reviews forward:
r=mstoltz
sr=dveditz
a=chofmann
Keywords: adt1.0.1
Whiteboard: [adt1 rtm] [ETA 7-29] → [adt1 rtm] [ETA 07/30]
Landed on trunk.
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
bsharma: can you pls verify this one on the trunk tomorrow? thanks!
Verified on 2002-07-30-trunk on Win 2000.

Steps:
1. Saved the bugzilla password in the Password Manager.
2. Ran the attached test case.
3. An exception is thrown in the JS console.
4. Ran the form test case.
5. An exception is thrown in the JS console.
Status: RESOLVED → VERIFIED
adt1.0.1+ (on ADT's behalf) approval for checkin to the 1.0 branch, pending
drivers ' approval. pls check this in asap, then replace the "mozilla1.0.1+"
with "fixed1.0.1". thanks!
Keywords: adt1.0.1adt1.0.1+
Patch checked in on branch.
Keywords: mozilla1.0.1fixed1.0.1
a=chofmann for 1.0.1
Group: security?
Group: security?
Group: security
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.