Closed
Bug 404361
Opened 17 years ago
Closed 17 years ago
username & password used for connections via ftp:// are stored in history
Categories
(Firefox :: Bookmarks & History, enhancement)
Tracking
()
RESOLVED
DUPLICATE
of bug 130327
People
(Reporter: spucktier, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9 While there's an option to protect stored passwords in ffox it's still possible to see the cleartext username & password for an ftp connection when the user opens it by using the URI syntax ftp://user:pass@site.tld The complete URI, including user & pass gets stored in the history which could pose a possible security risc. it's also copied to the clipboard when you select the history-item and use the "copy link location" function. Additionally, user & pass get stored automatically, the user is not asked if he actually wants to store this sensitive information. Reproducible: Always Steps to Reproduce: 1. open ftp://user:pass@site.tld 2. open history and use "copy link location" function (context menu) OR type ftp://user into the adressbar and wait for autocompletion Expected Results: 1. when ftp connection is established by using the ftp://user:pass@site.tld syntax, password manager should jump in and ask if the user wants to save those credentials 2. completely strip username & password from browser history! I marked this one a security issue as I dont want to outrule the possibility of someone beeing clever and get some sort of hack out in the wild that parses the users history for ftp:// strings. If you don't share my view on this matter, feel free to remove the security flag. This is marked as an enhancement request due to the character of the problem. It's not really a bug in FF, it's something that could be improved.
Updated•17 years ago
|
Summary: user & pass used for connections via ftp:// are stored in history → username & password used for connections via ftp:// are stored in history
Updated•17 years ago
|
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Component: History → Bookmarks & History
QA Contact: history → bookmarks
You need to log in
before you can comment on or make changes to this bug.
Description
•