Weekly edition	Kernel	Security	Distributions	Contact Us	Search
Archives	Calendar	Subscribe	Write for LWN	LWN.net FAQ	Sponsors

The Firefox password manager vulnerability

Posted Nov 30, 2006 8:22 UTC (Thu) by mms (subscriber, #11532)
In reply to: The Firefox password manager vulnerability by stuart
Parent article: The Firefox password manager vulnerability

I have to disagree on this straight-forward "yes". Konqueror does not
match the domain name, but instead seems to use the entire, fqdn. And,
unlike IE, it won't help you if the fqdn does not match, even if you fill
the form with a valid username.

So, is Konqueror vulnerable to this very problem? I'm not really sure.

(Log in to post comments)

Posted Nov 30, 2006 9:11 UTC (Thu) by nix (subscriber, #2304) [Link]

From the look of
kdelibs-3.5.5/khtml/html/html_formimpl.cpp:calculateAutoFillKey()
(svnversion 606559), it uses
that part of the URL before the first occurrence of a match to the regex
[,;!], followed by a # and the name of the form element. This seems
vulnerable to me under situations where URL parameters determine privilege
boundaries :/

(Why [,;!] and not ?, I wonder? The comment in the code implies that this
is working around a `potential security issue' but doesn't say what that
issue *is*.)

The Firefox password manager vulnerability

Posted Nov 30, 2006 9:13 UTC (Thu) by khim (subscriber, #9252) [Link]

Previous answer was much better then your long tirada. Have you even read the article ?

The problem happens not when the wrong site shows the form. Problem happens when "trusted" site allow HTML in posts! Then you can put form with TARGET="malicious site" and fqdn or not fqdn - password will be sent to cracker...