A password can accidentally be sent to a machine on the internet instead of an intranet machine

RESOLVED INCOMPLETE

Status

()

Firefox
Security
RESOLVED INCOMPLETE
11 years ago
8 years ago

People

(Reporter: Øyvind Harboe, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; nb-NO; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nb-NO; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4

1. A URL sent to an intranet machine can contain confidential information. This information should not be sent out to the internet. For badly implemented server applications(I've seen a few!), this can even include password in cleartext!

2. If someone visits a company, they can easily hear or see the name of an intranet machine.

3. At some point, this intranet machine will be taken down for maintenance. We'll call the machine "foobar".

4. Meanwhile the malfaiteur has registered an internet domain foobar.com

5. When the client points his browser to the "foobar" intranet machine and it does not exist, the browser will redirect him to foobar.com

6. With a bit of effort, they can make the attack a bit more spiffy with phising pages.

Ask the guys who has "www.localhost.com" what they have picked up over the years!!! :-)

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Resolving unconfirmed bugs older than a year with no activity as INCOMPLETE.  Please reopen or file a new bug if you can still reproduce the bug.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.