User: Password:
|
|
Subscribe / Log in / New account

The Firefox password manager vulnerability

The Firefox password manager vulnerability

Posted Nov 30, 2006 9:11 UTC (Thu) by nix (subscriber, #2304)
In reply to: The Firefox password manager vulnerability by mms
Parent article: The Firefox password manager vulnerability

From the look of
kdelibs-3.5.5/khtml/html/html_formimpl.cpp:calculateAutoFillKey()
(svnversion 606559), it uses
that part of the URL before the first occurrence of a match to the regex
[,;!], followed by a # and the name of the form element. This seems
vulnerable to me under situations where URL parameters determine privilege
boundaries :/

(Why [,;!] and not ?, I wonder? The comment in the code implies that this
is working around a `potential security issue' but doesn't say what that
issue *is*.)


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds