on ftp user:password@site is not hidden in download-managers source column

NEW
Unassigned

Status

SeaMonkey
Security
13 years ago
10 years ago

People

(Reporter: Jens Massmann, Unassigned)

Tracking

(Depends on: 1 bug)

1.7 Branch
x86
Windows 98

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Win98; de-AT; rv:1.7.10) Gecko/20050716
Build Identifier: Mozilla/5.0 (Windows; U; Win98; de-AT; rv:1.7.10) Gecko/20050716

If logging into ftp page the classic way (ftp://user:password@somewhere.com) the
user and password are permanantly visible in download-managers source column
(not whiped after download finished). Same problem with the browsers history
window. This might be a security flaw, cause no one wants username and
corresponding passwords be visible to other users on the machine.
Seems to be independent of OS.

Reproducible: Always

Steps to Reproduce:
1.Type in an ftp address in the classical way: ftp://user:password@ftp.adr
2.Complete address including username/password ist stored in the most recently
visited sites.
3.If a download is started the complete address including username/password is
visible and stored in the source column of download-manager

Actual Results:  
After downloading or looking in site history username/password is still visible
to other users of this machine.

Expected Results:  
User/Password@ should be deleted after download has ended.
User/password@ should not be visible in site history.
The history part is bug 130327
Group: security
Status: UNCONFIRMED → NEW
Depends on: 130327
Ever confirmed: true
Summary: on ftp user:password@site is not hidden in download-managers source column; same in browsers history → on ftp user:password@site is not hidden in download-managers source column
Can you reproduce with SeaMonkey v1.1.9 ?
Can you reproduce with SeaMonkey v2.0a1pre ?
Assignee: dveditz → nobody
Version: unspecified → 1.7 Branch
(Reporter)

Comment 3

10 years ago
(In reply to comment #2)
> Can you reproduce with SeaMonkey v1.1.9 ?
> Can you reproduce with SeaMonkey v2.0a1pre ?
> 

Reproducable with SeaMonkey v1.1.9,
not tested with v2.0a1pre
You need to log in before you can comment on or make changes to this bug.