[Branch] Firefox 2.0.0.1 fixlist (NOW RELEASED)

Discussion about official Mozilla Firefox builds
Locked
Old WildcatRay
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post by Old WildcatRay »

Domo, Tony E! ;)
User avatar
Lucky
Posts: 227
Joined: January 28th, 2003, 4:31 am
Location: Essen / Germany
Contact:

Post by Lucky »

#360493 [Firefox:Password Manager]-Cross-Site Forms + Password Manager = Security Failure [All]

This bug isn't fixed. I have tested it on heise security and it works... ;(
http://www.heise-security.co.uk/service ... ass1.shtml

Or it's not that bug?

Lucky
4Smoky
Posts: 1
Joined: December 8th, 2006, 3:18 pm

Post by 4Smoky »

#360493 [Firefox:Password Manager]-Cross-Site Forms + Password Manager = Security Failure [All]

The same here . the bug isn´t fixed :(
old zeniko
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post by old zeniko »

Lucky wrote:#360493 [Firefox:Password Manager]-Cross-Site Forms + Password Manager = Security Failure [All]

<a href="http://forums.mozillazine.org/viewtopic.php?p=2640505#2640505">Above</a>, colfer wrote:So far you have to use about:config to change it:
signon.prefillForms (true/false)

Only when signon.prefillForms is set to false, the "exploit" won't work anymore. That pref will be switched for Firefox 2.0.0.2 (unless there's a respin).

CrazyFred wrote:Looks like there will be a respin of 2.0.0.1 to pick up the default pref change for password prefill and the broken ctrl-shift-# shortcuts.

You're mis-interpreting the flags: they just mean that should there be a respin, those patches will be included as well - otherwise they'll make Firefox 2.0.0.2. Reasons for a respin are usually only top-crashers and severe security and dataloss issues. Both bugs don't qualify for either of these...
Warduke
Posts: 630
Joined: November 4th, 2002, 7:49 pm

Post by Warduke »

Firefox : One Browser to Rule Them All.
chob
Posts: 4283
Joined: May 17th, 2003, 12:05 pm
Location: London, UK

Post by chob »

i'm told that the windows and mac rc2 builds are identical to the rc1 builds; the only change between rc1 and rc2 is for linux and that's to fix:
  • #363054 [Core:Keyboard: Navigation]-Ctrl-Shift Keyboard Shortcuts broken (linux) [Lin]
User avatar
colfer
Posts: 643
Joined: December 4th, 2002, 9:34 am
Location: Bear

Post by colfer »

Yep, same date stamp. Brendan weighed in today on the (ridiculously bloated, should be forum posts) discussion in Bug 360493, "We need a real fix. Since there are other important fixes to get out in 2.0.0.1, we should put our energy into the right fix for the next patch release." In other words, the pref is available in about:config, but it defaults to <edit>true</edit>, so Firefox behaves the same as always.

Meanwhile, MySpace has fixed their problem, and all hosts that allow individually controlled example.com/acct1, example.com/acct2 hosting are advised that they are vulnerable to Javascript attacks anyway (XSS), so the autofill thing, no matter how deviously constructed, is no worse. If they filter users from posting Javascript, then they should filter them from posting password forms (by <input> name or type? I'm not sure.) What are the days of university.edu/~acct over? Are they really using acct.university.edu? (Javascript respects full domain name, as does password manager.)

This kind of form still works in MySpace profiles, but the domain is profiles.myspace.com, presumably not a login domain:

"You can buy (my CD) right here!
[form action="http://cdbaby.com/cart" method="post"]
Price: $15.00
Quantity: ___
Buy Now! (submit button)
[/form]

Looks like the upcoming better fix for 2.0.0.2 would involve remembering something else about the page besides just the domain name and form fields. I doubt that preventing html/css/javascript tricks for obscuring and submitting the form is KISS (simple) enough.

My opinion: the pref should be flipped in 2.0.0.1. It would annoy users but in a respectful way. Maybe add a dorky "quick-autofill this form next time?" dialog in 2.0.0.2. But I'm not as cautious as a Mozilla driver.
Last edited by colfer on December 9th, 2006, 7:33 am, edited 1 time in total.
User avatar
Nitin
Moderator
Posts: 3483
Joined: February 27th, 2003, 9:38 pm
Location: San Jose, CA
Contact:

Post by Nitin »

Wow, that's a lot of fixes for a .0.0.1 release!
If you're not using Firefox, you're not surfing the web, you're suffering it.
Join the MZ folding@home team.
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Post by Frank Lion »

I know I should know this, but do we have a public ETA for the 2.0.0.1 release yet?
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
xpgeek
Posts: 112
Joined: August 7th, 2005, 3:47 pm
Location: Jersey, USA

Post by xpgeek »

I actually like and prefer the change that signon.prefillForms = false provides.
The Ex Omega
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post by The Ex Omega »

Frank Lion wrote:I know I should know this, but do we have a public ETA for the 2.0.0.1 release yet?


I heard December 15th, though it could be later.
User avatar
Frank Lion
Posts: 21173
Joined: April 23rd, 2004, 6:59 pm
Location: ... The Exorcist....United Kingdom
Contact:

Post by Frank Lion »

Omega X wrote:
Frank Lion wrote:I know I should know this, but do we have a public ETA for the 2.0.0.1 release yet?


I heard December 15th, though it could be later.

Many thanks, I just needed a rough idea, that's fine.
"The only thing necessary for the triumph of evil, is for good men to do nothing." - Edmund Burke (attrib.)
.
User avatar
greenknight
Posts: 6187
Joined: December 13th, 2004, 2:28 am
Location: In the shadow of Mount St. Helens

Post by greenknight »

xpgeek wrote:I actually like and prefer the change that signon.prefillForms = false provides.
Can't say I like it, but it's not too annoying. I had feared much worse.
Win 10 Pro x64, AMD Ryzen 5 5600G 6 core, 3900 MHz (4450 Turbo), AMD Radeon Vega (integrated graphics). 16GB DDR4-3200, Firefox 124.0.1, Developer Edition 125.0b5, Nightly 126.0a1.
RyanVM
Posts: 1264
Joined: June 16th, 2004, 6:00 am
Location: Exton, PA

Post by RyanVM »

colfer wrote:Yep, same date stamp. Brendan weighed in today on the (ridiculously bloated, should be forum posts) discussion in Bug 360493,
Now there's an understatement. That's the first bug where I've actually un-CCed myself from it because I couldn't take the inane discussion anymore.

EDIT: Though I have to say, Bob Novell's long-winded diatribes have been good for an occasional laugh. That guy reminds me of chicken little meets that crazy guy on the street with a cardboard sign screaming that the world is about to end.
chob
Posts: 4283
Joined: May 17th, 2003, 12:05 pm
Location: London, UK

Post by chob »

OK so if bug 360493 [Firefox:Password Manager]-Cross-Site Forms + Password Manager = Security Failure [All] isn't fixed for 2.0.0.1 i should probably remove it from the fixlist right? :)
Locked