lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1442203769.20061123190428@SECURITY.NNOV.RU>
Date: Thu, 23 Nov 2006 19:04:28 +0300
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: fash1on@...il.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Big Flaw in Firefox 2: Password Manager Bug Exposes Passwords

Dear fash1on@...il.com,

It  looks like in order to exploit this, attacker must be able to insert
form   in   content   of  exploited  site.  That  is,  to  exploit  this
vulnerability,  e.g.  crossite  scripting  vulnerability is required. In
this  case,  this  is  a  flow,  but not so big one. Is it so, or I miss
something?

--Wednesday, November 22, 2006, 12:57:43 PM, you wrote to bugtraq@...urityfocus.com:

fgc> "Today, Mozilla made public bug #360493, which exposes
fgc> Firefox's Password Manager on many public sites. The flaw derives
fgc> from Firefox's willingness to supply the username and password
fgc> stored on one page on a domain to another page on a domain. For
fgc> example, username/password input tags on a Myspace user's site will
fgc> be unhelpfully propagated with the visitor's Myspace.com
fgc> credentials. It was first discovered in the wild by Netcraft on
fgc> Oct. 27. As this proof-of-concept illustrates, because the
fgc> username/password fields need not be visible on the page, your
fgc> password can be stolen in an almost completely transparent fashion.
fgc> PoC here: http://www.info-svc.com/news/11-21-2006/rcsr1/





-- 
~/ZARAZA
Почтенные ископаемые! Жду от вас дальнейших писем.  (Твен)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ