385605 - URL passwords accessible from Flash or other plugins

Status: RESOLVED WONTFIX

(Core Graveyard :: Plug-ins, defect, P3)

Description

[Jaroslaw Filiochowski]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20061201 Firefox/2.0.0.4 (Ubuntu-feisty)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20061201 Firefox/2.0.0.4 (Ubuntu-feisty)

If you access any url with the "user:password" form, any plugin in such page receives full password information even if the user is shown a stripped url in the location bar.

Exploits are already in the wild.


Reproducible: Always

Steps to Reproduce:
1. Embed flash in web page
2. Open page from some url in the form "ftp://user:password@page.html"
3. Flash receives full "user:password" in it's this._url

Actual Results:  
Sites like YouTube (and others) store referers based on in-flash url detection instead of browser-provided referer fields.
This leads to exposure of user passwords with no notification, actually misleading users into thinking they are secure (url in firefox location bar shows no user:password).

Expected Results:  
Passwords un urls should be stripped or obfuscated _before_ sending them to Flash or any other plugins.

Comment 1

[Jesse Ruderman]

I'm not sure I understand the scope of this problem.  Why would a password-protected site refer to untrusted, off-site plugin content?  Doesn't referring to an off-site URL using <object> or <embed> create an XSS hazard anyway?

> Exploits are already in the wild.

No need for this bug to be hidden, then.

Comment 2

[Jaroslaw Filiochowski]

It seems to be a XSS security problem due to some developers accessing third-party url-logging flash content (aka: Youtube videos) directly from an ftp connection.

Actually it's more of a "confiability" concern, since these users would get mislead by the apparently innocuous location bar url.

Unintended exploits using YouTube and Google:
- http://www.google.com/search?q=site%3Ayoutube.com+%22clicks+from+ftp+%40%22
- cached: http://www.teoriza.com/cache/304

Published on:
- http://meneame.net/story/error-muy-grave-de-google
- http://digg.com/security/very_very_big_bug_in_GOOGLE

This is extensible to any similar url-logging contents.

Seems to be solved in Opera by substituting "user:password" for "user:*****".

Actually removing the ":password" part altogether may prove good enough, since when accessing password-protected ftp urls in the form "ftp://page.html", this is the only part that gets sent anyways, and "ftp://user@page.html" should suffice for unique identification of any such resources.

Comment 3

[Daniel Veditz [:dveditz]]

Original source seems to be
http://www.w4ck1ng.com/board/showthread.php/new-youtube-exploit-ftp-5521.html

From there to
http://silentzzz.blogspot.com/2007/06/google-indexes-ftp-credentials-from.html

Credited on the "Month of Search Engine Bugs" which has a large audience
http://websecurity.com.ua/category/moseb/#post-1070

Comment 4

[Mike Connor [:mconnor]]

This is a core bug, moving and renominating.

Comment 5

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Seems like there's no harm in removing the username/password before handing the page-uri to the plugin.

Comment 6

[eric chaney]

Holy ****, this is huge. needs to be patched immediatly.

Comment 7

[Tristan Miller]

I can't edit the "See also" field in this report, so I'll just comment here that Bug 1198194 is related.

Comment 8

[BMO Automation]

Resolving as wont fix, plugin support deprecated in Firefox 85.