Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ie7 And Firefox 2.0 Are Vulnerable To New Rcsr Exploit.


  • Please log in to reply
No replies to this topic

#1 lucent

lucent

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:54 PM

Posted 23 November 2006 - 06:59 PM

Hello, it seems that both IE7 and FIrefox 2 have a common vulnerability in their password managers. The exploit has been seen on (apparently) some pages on MySpace and also a few blog pages.

The latest versions of both Firefox and Internet Explorer are vulnerable to an unpatched flaw that allows hackers to snaffle users' login credentials via automated phishing attacks.

The information disclosure bug affects the password manager in Firefox 2.0 and its equivalent in IE7. Firefox's Password Manager, for example, fails to properly check URLs before filling in saved user credentials into web forms. As a result, hackers might be able to swipe users credentials via malicious forms in the same domain, providing users have already filled out forms on this domain.

-Quote taken from here: http://www.theregister.co.uk/2006/11/23/fake_login_flaw/

It seems that firefox 2 is hit harder than IE7 because of the way Firefox automatically fills in the request forms once the page is viewed or if the user inputs a username help in the password manager cache.
For now it looks like the best thing to do is turn of your browsers password manager and fill in the form yourself...... but being security conscious we all do this anyway.....don't we ;)

For more info visit the following link as it details both Cross-Site Request Forgery and the newer Reverse Cross-Site Request vulnerability. This link below is also available on the above link's page as well.
http://www.info-svc.com/news/11-21-2006/

Cheers, Lucent
Posted Image
Special thanks to efizzer for the signature

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users