Closed Bug 233492 Opened 21 years ago Closed 21 years ago

Security risk: FTP name and password appear in Location Bar after site is opened

Categories

(SeaMonkey :: Location Bar, enhancement)

Product:
SeaMonkey
Component:
Location Bar
Platform:
x86
Windows XP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 157354

People

(Reporter: u4664, Unassigned)

Details

User-Agent:       
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040206 Firefox/0.8

When a name and password are used to access an ftp site via the Location Bar,
e.g. ftp://foo:bar@ftp.site.com, the name ("foo") and password ("bar") persist
in the Bar as the site is traversed/navigated. This is a huge security risk
because it allows casual passers-by to see the name and password. In addition,
the entire address, including the name and password, are included in the
Location Bar's history, which poses an even bigger security risk.

I haven't tested this, but I assume that this problem also exists for accessing
Web pages that use HTTP authentication.

Reproducible: Always
Steps to Reproduce:
1. In the Location Bar, go to an FTP site that requires a name and password,
e.g. ftp://foo:bar@ftp.site.com
2. Navigate through the FTP site as normal.

Actual Results:  
The name and password remain in the Location Bar.

Expected Results:  
The name and password should be removed after the user has entered the FTP site.
See how Internet Explorer handles this.

*** This bug has been marked as a duplicate of 157354 ***
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
V/dupe
Status: RESOLVED → VERIFIED
QA Contact: benc
Product: Core → SeaMonkey
You need to log in before you can comment on or make changes to this bug.