Mozilla Firefox Password Manager information disclosure vuln

Date Discovered: 2006. november 24.
Date Published: 2006. december 6.
Last Updated: 2006. december 6.

Threat Assessment
Overall Risk: Low
Impact:         Low
Popularity:   Medium
Simplicity:    Low

Vulnerability Description
Vulnerability ID:          34828
Discovered By:            Robert Chapin
Exploitable Locally:   No
Exploitable Remotely: Yes
Impact:                        A remote attacker can obtain sensitive information like usernames and passwords.
Root Cause:                 Software Vulnerability

Mozilla Firefox contains a vulnerability that can allow a remote attacker to obtain sensitive information like usernames and passwords. The vulnerability is due to an error while validating the URLs before automatically filling the forms with saved user names and passwords. An attacker can entice a user to visit a specially crafted web page to obtain sensitive information like usernames and passwords.

Recommendations
For: Mozilla Firefox 1.5.0.8, Mozilla Firefox 2.0
Disable the ˝Remember passwords for sites˝ option.

Affected Technologies
The Mozilla Organization: Mozilla Firefox 1.5.0.8
The Mozilla Organization: Mozilla Firefox 2.0

References
Mitre CVE: CVE-2006-6077

More information on CA Vulnerability Information Center:
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34828

Computer Associates – the Trusted Source of Security Knowledge