Closed
Bug 385605
Opened 17 years ago
Closed 3 years ago
URL passwords accessible from Flash or other plugins
Categories
(Core Graveyard :: Plug-ins, defect, P3)
Core Graveyard
Plug-ins
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: jarfil, Unassigned)
References
()
Details
(Keywords: privacy, sec-want, Whiteboard: [sg:want])
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20061201 Firefox/2.0.0.4 (Ubuntu-feisty)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20061201 Firefox/2.0.0.4 (Ubuntu-feisty)
If you access any url with the "user:password" form, any plugin in such page receives full password information even if the user is shown a stripped url in the location bar.
Exploits are already in the wild.
Reproducible: Always
Steps to Reproduce:
1. Embed flash in web page
2. Open page from some url in the form "ftp://user:password@page.html"
3. Flash receives full "user:password" in it's this._url
Actual Results:
Sites like YouTube (and others) store referers based on in-flash url detection instead of browser-provided referer fields.
This leads to exposure of user passwords with no notification, actually misleading users into thinking they are secure (url in firefox location bar shows no user:password).
Expected Results:
Passwords un urls should be stripped or obfuscated _before_ sending them to Flash or any other plugins.
Comment 1•17 years ago
|
||
I'm not sure I understand the scope of this problem. Why would a password-protected site refer to untrusted, off-site plugin content? Doesn't referring to an off-site URL using <object> or <embed> create an XSS hazard anyway?
> Exploits are already in the wild.
No need for this bug to be hidden, then.
Group: security
Reporter | ||
Comment 2•17 years ago
|
||
It seems to be a XSS security problem due to some developers accessing third-party url-logging flash content (aka: Youtube videos) directly from an ftp connection.
Actually it's more of a "confiability" concern, since these users would get mislead by the apparently innocuous location bar url.
Unintended exploits using YouTube and Google:
- http://www.google.com/search?q=site%3Ayoutube.com+%22clicks+from+ftp+%40%22
- cached: http://www.teoriza.com/cache/304
Published on:
- http://meneame.net/story/error-muy-grave-de-google
- http://digg.com/security/very_very_big_bug_in_GOOGLE
This is extensible to any similar url-logging contents.
Seems to be solved in Opera by substituting "user:password" for "user:*****".
Actually removing the ":password" part altogether may prove good enough, since when accessing password-protected ftp urls in the form "ftp://page.html", this is the only part that gets sent anyways, and "ftp://user@page.html" should suffice for unique identification of any such resources.
Comment 3•17 years ago
|
||
Original source seems to be
http://www.w4ck1ng.com/board/showthread.php/new-youtube-exploit-ftp-5521.html
From there to
http://silentzzz.blogspot.com/2007/06/google-indexes-ftp-credentials-from.html
Credited on the "Month of Search Engine Bugs" which has a large audience
http://websecurity.com.ua/category/moseb/#post-1070
Updated•17 years ago
|
Flags: blocking-firefox3? → blocking-firefox3+
Comment 4•17 years ago
|
||
This is a core bug, moving and renominating.
Component: Security → Plug-ins
Flags: blocking-firefox3+
Product: Firefox → Core
QA Contact: firefox → plugins
Updated•17 years ago
|
Flags: blocking1.9?
Seems like there's no harm in removing the username/password before handing the page-uri to the plugin.
Assignee: nobody → dveditz
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3
Comment 6•17 years ago
|
||
Holy ****, this is huge. needs to be patched immediatly.
Updated•17 years ago
|
Flags: wanted1.8.1.x+
OS: Linux → All
Hardware: PC → All
Summary: URL passwords accessible from Flash → URL passwords accessible from Flash or other plugins
Updated•17 years ago
|
Flags: wanted1.9.0.x+
Flags: tracking1.9+
Flags: blocking1.9-
Updated•17 years ago
|
Whiteboard: [sg:want]
Updated•16 years ago
|
Assignee: dveditz → nobody
Comment 7•9 years ago
|
||
I can't edit the "See also" field in this report, so I'll just comment here that Bug 1198194 is related.
Comment 8•3 years ago
|
||
Resolving as wont fix, plugin support deprecated in Firefox 85.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•