Unfortunately, not all routers use basic http authentication. The philips router I was talking about earlier authenticates using a request like http://192.168.1.1/cgi-bin/login.exe?pws=PASSWORD. Even then, this is only necessary to actually visit the configuration pages, not to make changes using techniques described above. I know not all people use routers this insecure, but I don't know how many people do (this is however the router distributed by the major ISP in my country). You suggested the warning window on <script src=...>, malicious requests can also be made using <img src=...> and <href=... (if you can get the user to click a link). Also, the brand and model of a router can be discovered by requesting images from the login page unique to each model of router. This way the router can be identified without any http authentication. In the future this may allow attackers to attack specified routers using other means. Does anyone know an actual use for requesting anything on the LAN unless the user has typed the IP address in the url bar?
(In reply to comment #2) > Unfortunately, not all routers use basic http authentication. The philips > router I was talking about earlier authenticates using a request like > http://192.168.1.1/cgi-bin/login.exe?pws=PASSWORD. > > Even then, this is only necessary to actually visit the configuration pages, > not to make changes using techniques described above. I know not all people > use routers this insecure, but I don't know how many people do (this is however > the router distributed by the major ISP in my country). > > You suggested the warning window on <script src=...>, malicious requests can > also be made using <img src=...> and <href=... (if you can get the user to > click a link). > > Also, the brand and model of a router can be discovered by requesting images > from the login page unique to each model of router. This way the router can be > identified without any http authentication. In the future this may allow > attackers to attack specified routers using other means. > > Does anyone know an actual use for requesting anything on the LAN unless the > user has typed the IP address in the url bar? > A router that accepts cgi commands without password protection is certainly an unacceptable security risk that leaves the user defenceless, but this is not a browser issue. Complain to your ISP, they should change the firmware on their routers. But Mozilla could at least enhance the security of basic HTTP authentification
A firmware update appears to have fixed the login problem (maybe OT but to anyone who'll also update to the latest firmware: it assigns two "physical" ports to belgacom tv so you may want to change that back). On other routers default passwords remain a problem however... How's mozilla's standpoint towards protecting the user against himself? (I notice the irony in this since I didn't go looking for a firmware update every month (my isp could've send an email or something))
Depends on bug https://bugzilla.mozilla.org/show_bug.cgi?id=38933 "Warn before using foreign authentication/cookies/POST data"
Should also depend on bug 354493 IMHO.