You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.



You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0.1) > MFSA 2005-17

Mozilla Foundation Security Advisory 2005-17

Title: Install source spoofing with user:pass@host
Severity: Low
Risk: Low
Reporter: Phil Ringnalda
Products: Firefox, Thunderbird, Mozilla Suite

Fixed in: Firefox 1.0.1
  Thunderbird 1.0.2
  Mozilla Suite 1.7.6

Description

The installation confirmation dialog shows the source of the software. By adding a long, fake "user:pass" in front of the true hostname the user might be convinced to trust software that comes from an untrustworthy source. This is similar to attempts used in some phishing mail: "http://www.mozilla.org@attacker.com/install.xpi".

By default Firefox only allows install attempts from http://update.mozilla.org, a user would need to explicitly allow the spoofing host to initiate installs before it could try this trick.

Workaround

Do not install software when prompted by untrusted sites. Enlarge the install confirmation dialog and verify that "@" does not appear before the first "/" character.

References