Firefox 2.0.0.1 – no fix to Password Manager flaw yet

New Firefox version 2.0.0.1 arrived with no fix to Password Manager Information Disclosure vulnerability. This issue was reported on 21th November with this news-type report. Ha.ckers Blog wrote about the problem in August already.
The related Bugzilla Bug #360493 was opened earlier, by Robert Chapin too.

CVE-2006-6077 has been assigned for this vulnerability. At time of writing the CVSS Severity level is 2.3 (Low).

Version 1.5.0.8 – and the new 1.5.0.9 – are affected too.

Share
  • http://altmylife.blogspot.com Tyop?

    There is a way to fix that,
    Mikhael Felker explain that on a paper :
    This text value will be SAVED:

    [INPUT TYPE="text" NAME="password" AUTOCOMPLETE="ON"]

    This text value will NOT BE SAVED:

    [INPUT TYPE="text" NAME="password" AUTOCOMPLETE="OFF"]

    ‘[' and ']‘ are html balises.

    Link : http://www.securityfocus.com/infocus/1883/2

  • http://www.whiteacid.org Sid

    Ideally you’d want something that doesn’t require people to re-write all their pages. Something like only filling in the value password should do, then actually inserting the true value only when the request is actually beings sent. That could break forms that use JavaScript/AJAX though.

  • Pingback: Clipperz

  • http://networksecurity.typepad.com/ Juha-Matti

    New Firefox version 2.0.0.2 includes a fix now.
    Download links are located at
    http://www.mozilla.com/en-US/firefox/all.html

  • http://www.whiteacid.org Sid

    I haven’t looked at this in detail but from what people have told me it doesn’t fix the issue if the attacker can run JS on the page with the form on it (via XSS).