You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

You are here: Known Vulnerabilities in Mozilla Products (Firefox > MFSA 2008-16

Mozilla Foundation Security Advisory 2008-16

Title: HTTP Referrer spoofing with malformed URLs
Impact: Moderate
Announced: March 25, 2008
Reporter: Gregory Fleischer, RSnake
Products: Firefox, SeaMonkey

Fixed in: Firefox
  SeaMonkey 1.1.9


Security researcher Gregory Fleischer demonstrated a problem with the HTTP Referer: (sic) header sent with requests to URLs containing Basic Authentication credentials with empty usernames. In these cases a number of leading characters, based on the length of the password in the URL, are removed from the referrer hostname. Fleischer pointed out that websites which only check the Referer: header to protect against Cross-Site Request Forgery (CSRF) could be attacked using this flaw. This concept was based on and expanded from a post to the forum by security researcher RSnake.