[Branch] Firefox 2.0.0.1 fixlist (NOW RELEASED)
- Lucky
- Posts: 227
- Joined: January 28th, 2003, 4:31 am
- Location: Essen / Germany
- Contact:
#360493 [Firefox:Password Manager]-Cross-Site Forms + Password Manager = Security Failure [All]
This bug isn't fixed. I have tested it on heise security and it works... ;(
http://www.heise-security.co.uk/service ... ass1.shtml
Or it's not that bug?
Lucky
This bug isn't fixed. I have tested it on heise security and it works... ;(
http://www.heise-security.co.uk/service ... ass1.shtml
Or it's not that bug?
Lucky
-
- Posts: 0
- Joined: December 31st, 1969, 5:00 pm
Lucky wrote:#360493 [Firefox:Password Manager]-Cross-Site Forms + Password Manager = Security Failure [All]
<a href="http://forums.mozillazine.org/viewtopic.php?p=2640505#2640505">Above</a>, colfer wrote:So far you have to use about:config to change it:
signon.prefillForms (true/false)
Only when signon.prefillForms is set to false, the "exploit" won't work anymore. That pref will be switched for Firefox 2.0.0.2 (unless there's a respin).
CrazyFred wrote:Looks like there will be a respin of 2.0.0.1 to pick up the default pref change for password prefill and the broken ctrl-shift-# shortcuts.
You're mis-interpreting the flags: they just mean that should there be a respin, those patches will be included as well - otherwise they'll make Firefox 2.0.0.2. Reasons for a respin are usually only top-crashers and severe security and dataloss issues. Both bugs don't qualify for either of these...
-
- Posts: 630
- Joined: November 4th, 2002, 7:49 pm
-
- Posts: 4283
- Joined: May 17th, 2003, 12:05 pm
- Location: London, UK
i'm told that the windows and mac rc2 builds are identical to the rc1 builds; the only change between rc1 and rc2 is for linux and that's to fix:
- #363054 [Core:Keyboard: Navigation]-Ctrl-Shift Keyboard Shortcuts broken (linux) [Lin]
- colfer
- Posts: 643
- Joined: December 4th, 2002, 9:34 am
- Location: Bear
Yep, same date stamp. Brendan weighed in today on the (ridiculously bloated, should be forum posts) discussion in Bug 360493, "We need a real fix. Since there are other important fixes to get out in 2.0.0.1, we should put our energy into the right fix for the next patch release." In other words, the pref is available in about:config, but it defaults to <edit>true</edit>, so Firefox behaves the same as always.
Meanwhile, MySpace has fixed their problem, and all hosts that allow individually controlled example.com/acct1, example.com/acct2 hosting are advised that they are vulnerable to Javascript attacks anyway (XSS), so the autofill thing, no matter how deviously constructed, is no worse. If they filter users from posting Javascript, then they should filter them from posting password forms (by <input> name or type? I'm not sure.) What are the days of university.edu/~acct over? Are they really using acct.university.edu? (Javascript respects full domain name, as does password manager.)
This kind of form still works in MySpace profiles, but the domain is profiles.myspace.com, presumably not a login domain:
"You can buy (my CD) right here!
[form action="http://cdbaby.com/cart" method="post"]
Price: $15.00
Quantity: ___
Buy Now! (submit button)
[/form]
Looks like the upcoming better fix for 2.0.0.2 would involve remembering something else about the page besides just the domain name and form fields. I doubt that preventing html/css/javascript tricks for obscuring and submitting the form is KISS (simple) enough.
My opinion: the pref should be flipped in 2.0.0.1. It would annoy users but in a respectful way. Maybe add a dorky "quick-autofill this form next time?" dialog in 2.0.0.2. But I'm not as cautious as a Mozilla driver.
Meanwhile, MySpace has fixed their problem, and all hosts that allow individually controlled example.com/acct1, example.com/acct2 hosting are advised that they are vulnerable to Javascript attacks anyway (XSS), so the autofill thing, no matter how deviously constructed, is no worse. If they filter users from posting Javascript, then they should filter them from posting password forms (by <input> name or type? I'm not sure.) What are the days of university.edu/~acct over? Are they really using acct.university.edu? (Javascript respects full domain name, as does password manager.)
This kind of form still works in MySpace profiles, but the domain is profiles.myspace.com, presumably not a login domain:
"You can buy (my CD) right here!
[form action="http://cdbaby.com/cart" method="post"]
Price: $15.00
Quantity: ___
Buy Now! (submit button)
[/form]
Looks like the upcoming better fix for 2.0.0.2 would involve remembering something else about the page besides just the domain name and form fields. I doubt that preventing html/css/javascript tricks for obscuring and submitting the form is KISS (simple) enough.
My opinion: the pref should be flipped in 2.0.0.1. It would annoy users but in a respectful way. Maybe add a dorky "quick-autofill this form next time?" dialog in 2.0.0.2. But I'm not as cautious as a Mozilla driver.
Last edited by colfer on December 9th, 2006, 7:33 am, edited 1 time in total.
- Nitin
- Moderator
- Posts: 3483
- Joined: February 27th, 2003, 9:38 pm
- Location: San Jose, CA
- Contact:
Wow, that's a lot of fixes for a .0.0.1 release!
If you're not using Firefox, you're not surfing the web, you're suffering it.
Join the MZ folding@home team.
Join the MZ folding@home team.
- Frank Lion
- Posts: 21173
- Joined: April 23rd, 2004, 6:59 pm
- Location: ... The Exorcist....United Kingdom
- Contact:
-
- Posts: 0
- Joined: December 31st, 1969, 5:00 pm
- Frank Lion
- Posts: 21173
- Joined: April 23rd, 2004, 6:59 pm
- Location: ... The Exorcist....United Kingdom
- Contact:
Omega X wrote:Frank Lion wrote:I know I should know this, but do we have a public ETA for the 2.0.0.1 release yet?
I heard December 15th, though it could be later.
Many thanks, I just needed a rough idea, that's fine.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
.
- greenknight
- Posts: 6187
- Joined: December 13th, 2004, 2:28 am
- Location: In the shadow of Mount St. Helens
Can't say I like it, but it's not too annoying. I had feared much worse.xpgeek wrote:I actually like and prefer the change that signon.prefillForms = false provides.
Win 10 Pro x64, AMD Ryzen 5 5600G 6 core, 3900 MHz (4450 Turbo), AMD Radeon Vega (integrated graphics). 16GB DDR4-3200, Firefox 124.0.1, Developer Edition 125.0b5, Nightly 126.0a1.
-
- Posts: 1264
- Joined: June 16th, 2004, 6:00 am
- Location: Exton, PA
Now there's an understatement. That's the first bug where I've actually un-CCed myself from it because I couldn't take the inane discussion anymore.colfer wrote:Yep, same date stamp. Brendan weighed in today on the (ridiculously bloated, should be forum posts) discussion in Bug 360493,
EDIT: Though I have to say, Bob Novell's long-winded diatribes have been good for an occasional laugh. That guy reminds me of chicken little meets that crazy guy on the street with a cardboard sign screaming that the world is about to end.
-
- Posts: 4283
- Joined: May 17th, 2003, 12:05 pm
- Location: London, UK