|
Welcome to P2PNET.net - The original daily p2p and digital news site. Always First! |
|
|
|
|
p2pnet.net news:- Last November, Robert Chapin found a new security hole in Firefox, dubbing it ‘Reverse Cross-Site Request (RCSR).
 It exposed saved passwords and could affect anyone visiting a weblog or forum website that allows user-contributed HTML codes to be added, said Chapin.
Then in January this year, the risks meant Firefox Password Manager should immediately be disabled, he warned.
Now Chapin, who runs Chapin Information Services, tells p2pnet an analysis he’s just finished concludes the February 23 release of Firefox version 2.0.0.2 handles less than 25% of the problems related to Bug #360493, as it’s been labelled, although the fixes will, “satisfy the current security needs of the average Internet user”.
Chapin’s charts below are divided into lists of risk factors, “that may contribute to the overall success or failure of Password Management,” he says, going on:
“Each risk is assigned a weight from zero to five such that zero means no risk and five means relatively high risk.
“A discussion of each risk follows the analysis tables. Where this document mentions risks that are not yet disclosed to the public, only status information will be given.”
>>>>>>>>>>>>>>>
Timeline
|
11/12/06
|
|
CIS Reports Bug #360493, Firefox Password Management Flaws
|
|
11/12/06
|
|
Bob Clary Changes Status to New on Bug #360493
|
|
11/21/06
|
|
Daniel Veditz Removes Security Lock on Bug #360493
|
|
12/01/06
|
|
Biju Reports Bug #362576, Autocomplete Attribute Broken
|
|
12/19/06
|
|
Mozilla Releases Firefox v2.0.0.1
|
|
01/29/07
|
|
CIS Recommends Disabling Firefox Password Management
|
|
02/01/07
|
|
CIS Reports Bug #368959, Additional Password Management Flaws
|
|
02/23/07
|
|
Mozilla Releases Firefox v2.0.0.2
|
|
02/24/07
|
|
Mauro Bartoccelli Reports Bug #371525, FillPassword Function Broken
|
|
03/04/07
|
|
Gavin Sharp Changes Status to Resolved on Bug #360493
|
|
03/05/07
|
|
Secunia Reports Bug #360493 Not Fixed Properly
|
|
03/06/07
|
|
CIS Reports Bug #372885, Additional Password Management Flaws
|
Risks Identified in Comments
style='width:435.0pt;margin-left:4.65pt;border-collapse:collapse'>
|
#
|
Comment
Numbers
|
Description
|
style='font-size:10.0pt;font-family:Arial'>Weight
|
Status
|
|
1
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c0">#0,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c31">#31,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c51">#51,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c80">#80,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c110">#110,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c118">#118,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c121">#121,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c135">#135,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c151">#151,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c160">#160-179,
#208,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c216">#216,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c224">#224,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c228">#228,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c233">#233,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c267">#267
|
The
originating path of managed forms is ignored.
|
style='font-size:10.0pt;font-family:Arial'>2
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=263387">Open
|
|
2
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c0">#0,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c51">#51,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c80">#80,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c92">#92,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c216">#216
|
The
“action” path of managed forms is ignored.
|
style='font-size:10.0pt;font-family:Arial'>4
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=263387">Open
|
|
3
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c0">#0,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c110">#110,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c155">#155,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c307">#307
|
The ‘action’ attribute of managed forms is ignored when retrieving (filling) passwords.
|
style='font-size:10.0pt;font-family:Arial'>4
|
Resolved
|
|
4
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c0">#0,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c149">#149,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c326">#326,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c329">#329
|
The “action”
attribute of managed forms is ignored when saving passwords.
|
style='font-size:10.0pt;font-family:Arial'>2
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=373144">Open
|
|
5
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c0">#0,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c11">#11,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c269">#269
|
There is
no programmatic feedback about the destination of unmanaged form submissions.
|
style='font-size:10.0pt;font-family:Arial'>3
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=373144">Open
|
|
6
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c0">#0,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c15">#15,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c39">#39,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c205">#205,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c229">#229,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c238">#238,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c307">#307
|
Automatic
filling of saved credentials without user action.
|
style='font-size:10.0pt;font-family:Arial'>3
|
Partial
Solutions
|
|
7
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c0">#0,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c70">#70,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c272">#272
|
Mozilla
has advertised “active protection from online scams”, which was
ineffective for this bug.
|
style='font-size:10.0pt;font-family:Arial'>3
|
Open
|
|
8
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c6">#6,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c38">#38
|
‘XSS’ and scripting vulnerabilities.
|
style='font-size:10.0pt;font-family:Arial'>0
|
N/A
|
|
9
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c7">#7,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c114">#114
|
The
(in)visibility of managed forms is ignored.
|
style='font-size:10.0pt;font-family:Arial'>3
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=373153">Open
|
|
10
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c22">#22,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c27">#27,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c28">#28,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c61">#61,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c91">#91,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c279">#279,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c331">#331-346
|
Dynamic changes to the ‘action’ attribute of managed forms are ignored.
|
style='font-size:10.0pt;font-family:Arial'>4
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=373151">Open
|
|
11
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c49">#49,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c88">#88,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c358">#358
|
Unpatched
security risks reported to Mozilla are not included in the Firefox release
notes.
|
style='font-size:10.0pt;font-family:Arial'>3
|
Open
|
|
12
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c68">#68
|
Managed
forms contain plain text passwords in memory.
|
style='font-size:10.0pt;font-family:Arial'>2
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=373149">Open
|
|
13
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c81">#81
|
The
“method” attribute of managed forms is ignored.
|
style='font-size:10.0pt;font-family:Arial'>2
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=371515">Open
|
|
14
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c253">#253-261,
#292-297,
#305-309
|
The new
patch does not affect all code paths.
|
style='font-size:10.0pt;font-family:Arial'>5
|
Resolved
|
|
15
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c274">#274,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c286">#286-291,
#294-296
|
The new
patch uses the wrong “action” attribute variables.
|
style='font-size:10.0pt;font-family:Arial'>2
|
Resolved
|
|
16
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c285">#285,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c348">#348,
href="https://bugzilla.mozilla.org/show_bug.cgi?id=360493#c349">#349
|
The new
“action” attribute check is at the wrong line in the patch.
|
style='font-size:10.0pt;font-family:Arial'>1
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=373145">Open
|
|
Subtotal
|
|
style='font-size:10.0pt;font-family:Arial'>43
|
|
|
Risks Identified in Bug Dependencies
style='width:439.0pt;margin-left:4.65pt;border-collapse:collapse'>
|
#
|
style='font-size:10.0pt;font-family:Arial'>Bug Number
|
Description
|
style='font-size:10.0pt;font-family:Arial'>Weight
|
Status
|
|
17
|
style='font-size:8.0pt;font-family:Arial'>362576
|
The form
“autocomplete” attribute is broken.
|
style='font-size:10.0pt;font-family:Arial'>1
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=362576">Open
|
|
18
|
style='font-size:8.0pt;font-family:Arial'>368959
|
Additional
password management flaws
|
style='font-size:10.0pt;font-family:Arial'>3
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=368959">Open
|
|
19
|
style='font-size:8.0pt;font-family:Arial'>371525
|
nsPasswordManager::FillPassword()
was broken by the new patch.
|
style='font-size:10.0pt;font-family:Arial'>5
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=371525">Patch Pending
|
|
20
|
style='font-size:8.0pt;font-family:Arial'>372885
|
Additional
password management flaws
|
style='font-size:10.0pt;font-family:Arial'>1
|
href="https://bugzilla.mozilla.org/show_bug.cgi?id=372885">Open
|
|
Subtotal
|
|
style='font-size:10.0pt;font-family:Arial'>10
|
|
Other Risks Identified for This Analysis
#21. The Password Management module (nsPasswordManager) contains
a large amount of Form Management code. This design issue is assigned a weight
of 5. Bug
#373154
#22. Additional form management flaws. This is assigned a
weight of 1. Bug
#373309
Descriptive Statistics of Weighted Risks
Average risk weight: 2.7
Sum of risk weights: 59
Sum of risks resolved: 14|
Percent resolved: 24%
Discussion
Mozilla has requested discussion of all remaining matters be
separate from the original bug. CIS has opened new bugs in the Bugzilla website
for each of the unresolved risks. It is prudent to assume some of these
discussions will lead to a “wontfix†status.
Risk #1. The most controversial assumption of the Password
Manager design has been the use of domain names without validating the full
URL. This was discussed at length in the current bug and should continue in
href="https://bugzilla.mozilla.org/show_bug.cgi?id=263387">Bug 263387.
The question at the heart of this issue: Is Firefox capable
of determining a website requesting credentials is the same website for which
credentials were saved?
It is our opinion that the lack of URL path checking and the
lack of any option to change this behavior represents one of the greatest
remaining risks to users.
Risk #2. The lack of URL path checking affects both the originating page address and the form ‘action’ attribute. Because the latter value controls the destination of password transmission, we have assigned it a greater risk.
Risk #3. Changes made to Firefox v2.0.0.2 focused on validating the form ‘action’ attribute before filling saved credentials into a login form. This change is working, however its effectiveness may hinge on the other risks listed in this document.
Risk #4. The changes made to resolve Risk #3 did not include validating the form ‘action’ attribute when it is saved to disk. This means the Password Manager still does not aid the user in making decisions about the safety of typing passwords on websites. This also negates measures to mitigate Risk #3 when the user is unable to correctly evaluate new requests for credentials. Discussion of this risk should continue in
href="https://bugzilla.mozilla.org/show_bug.cgi?id=373144">Bug #373144.
Risk #5. Firefox does not provide any feedback about where
the contents of a form will be transmitted. This is primarily the fault of
relying on protocols that are common and standard, but are also flawed and
known to be insecure. The Forms authentication standard does not require
Firefox to use the website requesting a password as the transmission end point,
yet it also does not prevent Firefox from informing the user.
Developers of major web browsers such as Internet Explorer and Firefox have a responsibility to also participate in the development of new security protocols. The existing protocols, which have been in use since the birth of the World Wide Web, have been considered ‘unacceptable’ since 1999. The background, problems, and recommendations about these protocols are discussed at length in the CIS whitepaper,
href="http://www.info-svc.com/news/02-09-2007/">The Internet’s Best Kept Secret:
No Password Is Safe.
Risk #6. Users now have two options to disable automatic password filling without disabling the Password Manager. The first option is called ‘Use a master password’, which can be found in the Options dialog box and requires the user to enter a password. The second option can be found by opening a new tab in the browser, typing ‘about:config’ in the address bar, scrolling down to ’signon.prefillForms’, and then double clicking. Neither of the two options are enabled by default, so we do not consider them to be a complete solution. Several comments in this bug suggested adding a toolbar button that must be clicked before any passwords will be filled.
Risk #7. The ‘active protection from online scams’ advertisement may create a false sense of security with regard to the Firefox Password Manager. We caution Mozilla against making unqualified claims to promote product security. We also caution users against accepting any product as being absolutely secure. As this risk does not represent a software bug, it will not be added to the Bugzilla website for discussion.
Risk #8. Vulnerabilities related to client-side scripting (XSS) injections are excluded from the scope of this bug and this analysis. More information can be found in the ‘Depends on’ section of
href="https://bugzilla.mozilla.org/show_bug.cgi?id=301375">Bug #301375.
Risk #9. Firefox does not distinguish between forms that
are visible and forms that are not visible to the user. The potential
interaction of Risks 6 and 9 have been demonstrated, and this is an excellent
example of how circumstantial flaws can multiply the risk to security.
Discussion of this risk should continue in
href="https://bugzilla.mozilla.org/show_bug.cgi?id=373153">Bug #373153.
Risk #10. This is a highly technical problem that should have been discussed in detail before the release of version 2.0.0.2. To put it simply, Firefox does not consistently decide at what time it should evaluate form data. Participants in the bug discussion cited legitimate uses for client-side scripts that would modify the form data, and specifically the ‘action’ attribute. Therefore, this risk cannot be dismissed as an XSS problem. Discussion of this risk should continue in
href="https://bugzilla.mozilla.org/show_bug.cgi?id=373151">Bug #373151.
When a page first loads in Firefox, a function named
nsPaswordManager::
FillDocument() is called upon to evaluate all of the forms on that page. This function is now designed to check the ‘action’ attribute of each form and compare it to saved credentials. This immediately causes a problem. The ‘action’ attribute is never saved to disk within this function, and this function has no role in the transmission of form data. Consequently, there are three separate events occurring at three different times.
Logically, for a client script to affect the ‘action’ attribute, it must make changes to the form at some time between the page loading and the form data transmission. We will use the onSubmit event as an example. According to Comment
#341, the onSubmit event would happen after the credentials are saved to disk. In this scenario, the client script would change the ‘action’ attribute after the value was saved to disk, but before the form is transmitted. The ‘action’ attribute being saved to disk does not correspond to the transmission end point, and the Password Manager will be unaware of any changes that occur during the onSubmit event.
Worse yet, disabling JavaScript in this scenario would cause the ‘action’ attribute to remain static, potentially causing credentials to transmit over an insecure connection or to arrive at the wrong server.
Risk #11. There were multiple complaints about the
difficulties in learning about this type of bug. It was pointed out that both
the Mozilla website and the Firefox release notes had no documentation of this
bug at any time before February 23, 2007, more than three months after it was
made public in the Bugzilla website. This lack of documentation and
communication creates an opportunity for Mozilla to mitigate this type of
security risk in the future. As this risk does not represent a software bug,
it will not be added to the Bugzilla website for discussion.
Risk #12. A theory mentioned in
href="https://bugzilla.mozilla.org/show_bug.cgi#c68?id=360493">Comment #68
hinted at never filling real passwords into password fields. This would have
obvious advantages in that it would significantly reduce the attack surface
presented by Password Management. In fact, the real password is not needed by
any part of the program until transmission time. Discussion of this risk
should continue in Bug
#373149.
Risk #13. See Risk #5. Again, the Forms authentication standard does not prevent Firefox from warning or stopping the user when the ‘get’ method is used. Discussion of this risk should continue in
href="https://bugzilla.mozilla.org/show_bug.cgi?id=371515">Bug #371515.
Risk #14. In some drafts of the patch, the ‘action’ attribute was not validated before all instances of passField->SetValue(). This was corrected before the release of version 2.0.0.2.
Risk #15. In some drafts of the patch, the ‘action’ attribute was not correctly referenced. This was corrected before the release of version 2.0.0.2.
Risk #16. For both performance and security reasons, the ‘action’ attribute should be validated at the top of the credentials DataEntry loop. In version 2.0.0.2, this validation occurs in the middle of the DataEntry loop after retrieving the form signature and validating the username and password fields. Discussion of this risk should continue in
href="https://bugzilla.mozilla.org/show_bug.cgi?id=373145">Bug #373145.
Risk #17: The ‘autocomplete’ attribute, which is supposed to allow webmasters to disable the Password Manager, does not work in all cases. As a result, the Password Manager fills password fields when it should not. This is Bug
#362576.
Risk #18: CIS reported several problems related to the
Password Manager in
href="https://bugzilla.mozilla.org/show_bug.cgi?id=368959">Bug #368959, and included a request that they be fixed before Bug #360493. The status of this bug is currently, ‘new’.
Risk #19: Mozilla and CIS have confirmed that the
nsPasswordManager::FillPassword() function does not work correctly in version
2.0.0.2. As a result, this version of the Password Manager is partially
crippled and may be difficult to use in many instances. This is
href="https://bugzilla.mozilla.org/show_bug.cgi?id=371525">Bug #371525.
Risk #20: CIS reported a problem related to the Password Manager in
href="https://bugzilla.mozilla.org/show_bug.cgi?id=372885">Bug #372885. A test case has been included. The status of this bug is currently, ‘unconfirmed’.
Risk #21: One of the most substantial risks remaining with
this bug is the overall design of the Password Manager module,
nsPasswordManager. Its code includes a large amount of form management
routines that are not essential to the logical function of this module, and
cause or exacerbate all of the above risks.
To eliminate this risk would mean:
- Creating two, logically separate modules for Form
Management and Password Management.
- Allowing the Form Management module to unlock passwords
only by calling on a Password Management function.
- Requiring the Form Management module to include in its
function call all of the necessary data needed to validate an
authentication request.
- Requiring the Password Management module to hand-off
validated credential requests directly to the transmission function, so
that the Form Management module is never in possession of saved
credentials. (Note: This is an idealistic feature that would exclude
scripting of saved credentials.)
- Eliminating all Form-related routines from the Password
Management module.
Discussion of this risk should continue in
href="https://bugzilla.mozilla.org/show_bug.cgi?id=373154">Bug #373154.
Risk #22. CIS reported a problem related to the Form
Manager in Bug
#373309. A test case has been included. The status of this bug is
currently, “unconfirmedâ€.
Conclusion
Given the 22 risks identified as relating to this bug, and
the actual amount of corrective action taken so far, it is impossible to change
our recommendation that the Firefox Password Manager be disabled by users. By
our estimation, less than 25% of the risk represented by these problems has
been resolved in the release of version 2.0.0.2.
We suggest that Mozilla correct 40% of these weighted risks
before its Password Manger is deemed safe for common use. This means, at
minimum, resolving the risks identified in the four bug dependencies, or
providing the level of security needed to reasonably protect the average
Internet user. We also suggest considering goals greater than 40%, which could
position the Firefox Password Manager ahead of competitive products.
Slashdot it! 
Also See:
security hole - Firefox password security hole, November 21, 2006
be disabled - Threat to MySpace Firefox users, January 29, 2007
If your Net access is blocked by government restrictions, try Psiphon from the Citizen Lab at thIs the end (of the Net) nigh?zze University of Toronto’s Munk Centre for International Studies. Go here for the official download, here for the p2pnet download, and here for details. And if you’re Chinese and you’re looking for a way to access independent Internet news sources, try Freegate, the DIT program written to help Chinese citizens circumvent web site blocking outside of China. Download it here.
rss feed: http://p2pnet.net/p2p.rss | | Mobile - http://p2pnet.net/index-wml.php | | And use free p2pnet newsfeeds for your site
Tired of being treated like a criminal? They depend on you, not the other way around. Don’t buy their ‘product’. Do bug your local politicians. Use emails, snail-mail, phone calls, faxes, IM, stop them in the street, blog. And if you’re into organizing, organize petitions, organize demonstrations and then turn up on your local political rep’s doorstep, making sure you’ve contacted your local tv/radio station/newspaper in advance. Don’t just complain. Do something!
This entry was posted
on Friday, March 9th, 2007 at 1:48 pm and is filed under Uncategorized.
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
HOME
Viewed 1783 times
p2pnet - rss feed: 
