[the-edmeister]

Any word on exactly what has been fixed? Anything related to RCSR - https://bugzilla.mozilla.org/show_bug.cgi?id=360493 ?


Ed

[trolly]

Don't think so. Discussion how to fix it is still on.

[nrthomas]

See <a href="http://bonsai.mozilla.org/cvsquery.cgi?treeid=default&module=AviarySuiteBranchTinderbox&branch=MOZILLA_1_8_BRANCH&branchtype=match&dir=&file=&filetype=match&who=&whotype=match&sortby=Date&hours=2&date=explicit&mindate=2006-10-10+23%3A00%3A00&maxdate=&cvsroot=%2Fcvsroot">this bonsai query</a> for checkins since Firefox 2. Recently there have been a bunch of JS and other core fixes (some security), while the older checkins mainly relate to SeaMonkey (xpfe/ etc) and Thunderbird (mail/, mailnews/).

[Handle With Care]

Don't think so. Discussion how to fix it is still on.

I appreciate the problems getting this one fixed, but it's now in the general press, which could cause some pretty bad publicity. See ZDnet, SecurityFocus, and TheRegister just for starters.

There seem to be some disagreement or lack of information as to whether this is a problem affecting only Fx2 or also previous versions. So far, only suggestion is to disable Remember Passwords

[kliu0x52]

Don't think so. Discussion how to fix it is still on.

*nods*

The "problem" really is as much an issue with Myspace being idiotic by allowing people to post unrestricted HTML as it is an issue with Firefox. Any security "fix" would be to make it harder for people do launch such cross-site attacks, but like XSS, the responsibility fundamentally lies with people who run sites.

[Uncle Spellbinder]

1) Does this issue apply to passwords already saved? In other words, is it safe to use the Password Manager at all untli this issue is fixed?

2) Is Minefield affected by this?

[chob]

1) It's safe to use password manager on any site that doesn't let its users add their own HTML code. For example, it's perfectly safe to use the password manager for sites like ebay, amazon, etc, because these are sites you just read. On Myspace, not only can you log onto the site, but its users can add their own html to make their own mini-webpages.

So if you have your myspace password saved in the password manager, and then someone on their myspace page adds a username/password input boxes, then your myspace username and password gets filled into their (not the sites') input boxes, and they can steal your details like that. (The password manager just sees that there is a username/password input for myspace, and blindly fills in the details it knows, not realising that it's not the official logon page, it's a similar logon page designed by a user, but because it's on a myspace page, it fills the details in anyway.)

But because most sites (retail sites, etc) don't let ppl add their own html/webpages, then these sites are as safe as they have always been. Unless a hacker gets into their server and constructs dodgy html to grab your username/password from the password manager and then submit it to their dodgy server, you're fine. And let's face it, if someone is hacking a big server like that, then its got pretty big problems already.

2) I believe minefield is also effected. But not 100% sure. I don't see why it wouldn't be.

[Uncle Spellbinder]

Thanks, chob.

[IceDogg]

Chob, Sorry to bug ya but this one has me a little puzzled. Here as more questions I have about this. Anyone else that knows is welcome to answer.

1. What about forums? I know most forums don't allow this, but how can you tell if a forum does or not? Sorry if it seems like a stupid question.
2. Like on myspace...can they only steel myspace passwords or could they steel any password? like my banks (if I had it saved in Password manager)? This one I'm very unclear on.
3. Will unchecking remember passwords for sites under options temperorly fix this. Or do I need to remove all the passwords already saved?

Thanks for any help. and sorry for going off topic.

[Tolien]

I'm not chob, but:

1. What about forums? I know most forums don't allow this, but how can you tell if a forum does or not? Sorry if it seems like a stupid question.

It comes down to whether the forum's permissions let ordinary users post HTML. How you'd tell would depend on the forum in question.

2. Like on myspace...can they only steel myspace passwords or could they steel any password? like my banks (if I had it saved in Password manager)? This one I'm very unclear on.

Only your myspace password. The PM will only fill in a password for a site with the same domain (so a page at www.blah.com can only get to passwords stored for www.blah.com).

[IceDogg]

I'm not chob, but:
Only your myspace password. The PM will only fill in a password for a site with the same domain (so a page at www.blah.com can only get to passwords stored for www.blah.com).

Thanks, but then what is all the hoopla about? Seems pretty harmless to important sites. Most you could have to lose is a forum/myspace account?

[kliu0x52]

I'm not chob, but:
Only your myspace password. The PM will only fill in a password for a site with the same domain (so a page at www.blah.com can only get to passwords stored for www.blah.com).

Thanks, but then what is all the hoopla about? Seems pretty harmless to important sites. Most you could have to lose is a forum/myspace account?

Slashdot sensationalized an article and made a mountain out of a molehill. But then again, this is typical of /.

And almost all the forums I've been to don't allow HTML. Another mitigating factor is that it does require the user to click a forum submit button (though such buttons could be disguised, but they nevertheless still require a click).

[Handle With Care]

And almost all the forums I've been to don't allow HTML. Another mitigating factor is that it does require the user to click a forum submit button (though such buttons could be disguised, but they nevertheless still require a click).

Heh...I just checked my own profile here and found HTML enabled by default!

[kliu0x52]

<form>
<input>
<input>
</form>

[kliu0x52]

Perhaps I should have clarified: unrestricted HTML, since as my post above shows (it was supposed to be form, input type=password, and input type=text, but not only were the tags de-tagified, but the stuff in the tags got stripped, too), not every bit of HTML is legal in the world of forums.