Firefox Vulnerability Issue November 22, 2006 11:31 AM Subscribe
New firefox vulnerability leaves people open to password theft:
Proof of concept here
Does metafilter strip out form tags?
Proof of concept here
Does metafilter strip out form tags?
Netcraft confirms it!
And yeah, as far as I know a form-dependent hack is DOA. Though we should probably get mock's take on it.
posted by cortex at 11:43 AM on November 22, 2006
And yeah, as far as I know a form-dependent hack is DOA. Though we should probably get mock's take on it.
posted by cortex at 11:43 AM on November 22, 2006
Obvious Firefox Down! reference also DOA.
posted by It's Raining Florence Henderson at 12:14 PM on November 22, 2006
posted by It's Raining Florence Henderson at 12:14 PM on November 22, 2006
Oh, whew:
Mozilla confirmed this as bug number 360493, and said they are already working on a fix for version 2.0.0.1 or 2.0.0.2.From the article you linked to.
posted by boo_radley at 12:20 PM on November 22, 2006
I really miss the form tag.
posted by and hosted from Uranus at 12:38 PM on November 22, 2006
posted by and hosted from Uranus at 12:38 PM on November 22, 2006
sounds interesting, anybody care to explain this to low-tech, very little 1337 users?
posted by matteo at 12:39 PM on November 22, 2006
posted by matteo at 12:39 PM on November 22, 2006
This is pretty marginal. Any site that lets users enter things like <FORM> is already pretty seriously fucked.
There's a reason that long ago forums invented BBcode (aka [b]bold[/b] [url]http://example.com[/url] etc) -- because stripping ALL html and then allowing a very limited subset of made up tags is much easier than trying to only let through "safe" html.
posted by Rhomboid at 12:51 PM on November 22, 2006
There's a reason that long ago forums invented BBcode (aka [b]bold[/b] [url]http://example.com[/url] etc) -- because stripping ALL html and then allowing a very limited subset of made up tags is much easier than trying to only let through "safe" html.
posted by Rhomboid at 12:51 PM on November 22, 2006
Firefox can be set up to automatically give your password to a site. The site requests a password (usually) with a FORM tag. If that form tag includes an INPUT tag named PASSWORD, Firefox will automatically fill it in (if you set FF to so this) and submit the FORM. Submitting means sending the data (name and password) to the originating web site.
So far, so good.
Sites that allow users to add arbitrary HTML in comment might allow user a FORM tag to his comment. If that user-added FORM tag includes an INPUT tag named PASSWORD, Firefox will also fill that in, and submit it.
But the user who added FORM tag to his comment will indicate the user's site as the destination for the submit, and FF (bad bug!) will send the password to the comment-adding user.
posted by orthogonality at 12:56 PM on November 22, 2006
So far, so good.
Sites that allow users to add arbitrary HTML in comment might allow user a FORM tag to his comment. If that user-added FORM tag includes an INPUT tag named PASSWORD, Firefox will also fill that in, and submit it.
But the user who added FORM tag to his comment will indicate the user's site as the destination for the submit, and FF (bad bug!) will send the password to the comment-adding user.
posted by orthogonality at 12:56 PM on November 22, 2006
It didn't have the intended effect here at work. I AM IMPERVIOUS.
FF 2.0 on XP (sp 9,547,903,545ty-something.)
posted by loiseau at 1:13 PM on November 22, 2006
FF 2.0 on XP (sp 9,547,903,545ty-something.)
posted by loiseau at 1:13 PM on November 22, 2006
You are only vulnerable if you enable the "Save form passwords" option and you click "Remember" when prompted after submitting the form.
posted by Rhomboid at 1:17 PM on November 22, 2006
posted by Rhomboid at 1:17 PM on November 22, 2006
orthogonality: Does Firefox actually submit the form though? I don't think submitting it is standard FF behaviour. I think there must be another stage to this, perhaps a bit of Javascript on the page, that causes the form to be submitted once Firefox puts the password into the password field.
posted by matthewr at 1:29 PM on November 22, 2006
posted by matthewr at 1:29 PM on November 22, 2006
You are only vulnerable if you enable the "Save form passwords" option and you click "Remember" when prompted after submitting the form.
Ah. Well I didn't do that because I wasn't ever planning to go back there again. Interesting though.
I'm not impervious. : (
posted by loiseau at 1:39 PM on November 22, 2006
Ah. Well I didn't do that because I wasn't ever planning to go back there again. Interesting though.
I'm not impervious. : (
posted by loiseau at 1:39 PM on November 22, 2006
matthewr writes "orthogonality: Does Firefox actually submit the form though? "
You're right, I was wrong.
posted by orthogonality at 1:56 PM on November 22, 2006
You're right, I was wrong.
posted by orthogonality at 1:56 PM on November 22, 2006
perhaps a bit of Javascript on the page, that causes the form to be submitted once Firefox puts the password into the password field.
It only works when you click the link.
posted by cillit bang at 3:09 PM on November 22, 2006
It only works when you click the link.
posted by cillit bang at 3:09 PM on November 22, 2006
Ah right. With a bit of scripty goodness, I expect you could make the form submit itself directly after Firefox 'types' in the password. For this to work, Firefox would have to be firing the relevant events in the same way as a real user typing the password in — I don't know if this is the case.
posted by matthewr at 3:28 PM on November 22, 2006
posted by matthewr at 3:28 PM on November 22, 2006
I believe most members on MeFi would strip at the drop of a hat. But you'd have to drop a hat to confirm that.
posted by blue_beetle at 3:28 PM on November 22, 2006
posted by blue_beetle at 3:28 PM on November 22, 2006
I think we should just shut all web servers down until this is fixed. It's the only way!
posted by StrasbourgSecaucus at 6:58 PM on November 22, 2006
posted by StrasbourgSecaucus at 6:58 PM on November 22, 2006
This guy seems to agree.
I love it when people SHOUT AT THE DEVELOPERS in bugzilla :-)
I'm sure there are little flecks of mouth foam sticking to the inside of my screen by the time he's finished.
posted by flabdablet at 3:43 AM on November 23, 2006
I love it when people SHOUT AT THE DEVELOPERS in bugzilla :-)
I'm sure there are little flecks of mouth foam sticking to the inside of my screen by the time he's finished.
posted by flabdablet at 3:43 AM on November 23, 2006
The Bugtraq list notes that Firefox 1.5.08 and Netscape Navigator 8.1.2 (ya, I didn't know there was a Navigator 8 either.) are both affected as well.
posted by eriko at 10:59 AM on November 23, 2006
posted by eriko at 10:59 AM on November 23, 2006
flabdablet: I love it when people SHOUT AT THE DEVELOPERS in bugzilla :-)
I'm sure there are little flecks of mouth foam sticking to the inside of my screen by the time he's finished.
Wow. Guy needs some tranquilizers. And a beer. And ~I~ need someone to clean the flecks of foam off the inside of my monitor.
I never understood how people could feel safe with all their logins and passwords stored for auto-use. Always seemed like it was just asking for trouble.
posted by Meep! Eek! at 9:56 PM on November 23, 2006
I'm sure there are little flecks of mouth foam sticking to the inside of my screen by the time he's finished.
Wow. Guy needs some tranquilizers. And a beer. And ~I~ need someone to clean the flecks of foam off the inside of my monitor.
I never understood how people could feel safe with all their logins and passwords stored for auto-use. Always seemed like it was just asking for trouble.
posted by Meep! Eek! at 9:56 PM on November 23, 2006
You are not logged in, either login or create an account to post comments
posted by public at 11:40 AM on November 22, 2006