CVE-2006-6077

Severity

50%

Complexity

99%

Confidentiality

48%

The (1) Password Manager in Mozilla Firefox 2.0, and 1.5.0.8 and earlier; and the (2) Passcard Manager in Netscape 8.1.2 and possibly other versions, do not properly verify that an ACTION URL in a FORM element containing a password INPUT element matches the web site for which the user stored a password, which allows remote attackers to obtain passwords via a password INPUT element on a different web page located on the web site intended for this password.

The (1) Password Manager in Mozilla Firefox 2.0, and 1.5.0.8 and earlier; and the (2) Passcard Manager in Netscape 8.1.2 and possibly other versions, do not properly verify that an ACTION URL in a FORM element containing a password INPUT element matches the web site for which the user stored a password, which allows remote attackers to obtain passwords via a password INPUT element on a different web page located on the web site intended for this password.

CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N).

Overview

First reported 18 years ago

2006-11-24 17:07:00

Last updated 6 years ago

2018-10-17 21:46:00

Affected Software

Mozilla Firefox 1.5

1.5

Mozilla Firefox 1.5 Beta 1

1.5

Mozilla Firefox 1.5 Beta 2

1.5

Mozilla Firefox 1.5.0.1

1.5.0.1

Mozilla Firefox 1.5.0.2

1.5.0.2

Mozilla Firefox 1.5.0.3

1.5.0.3

Mozilla Firefox 1.5.0.4

1.5.0.4

Mozilla Firefox 1.5.0.5

1.5.0.5

Mozilla Firefox 1.5.0.6

1.5.0.6

Mozilla Firefox 1.5.0.7

1.5.0.7

Mozilla Firefox

Mozilla Firefox 2.0

2.0

Netscape Netscape 8.1.2

8.1.2

References

20070202-01-P

20070301-01-P

FEDORA-2007-281

FEDORA-2007-293

HPSBUX02153

SUSE-SA:2007:019

RHSA-2007:0077

23046

Exploit, Vendor Advisory

23108

24205

24238

24287

24290

24293

24320

24328

24333

24342

24343

24384

24393

24395

24437

24457

24650

25588

GLSA-200703-04

1017271

Exploit

SSA:2007-066-05

DSA-1336

GLSA-200703-08

http://www.info-svc.com/news/11-21-2006/

Exploit

http://www.info-svc.com/news/11-21-2006/rcsr1/

MDKSA-2007:050

http://www.mozilla.org/security/announce/2007/mfsa2007-02.html

SUSE-SA:2007:022

RHSA-2007:0078

RHSA-2007:0079

RHSA-2007:0097

RHSA-2007:0108

20061122 Big Flaw in Firefox 2: Password Manager Bug Exposes Passwords

20061123 Password Flaw also in Firefox 1.5.08. Was: Big Flaw in Firefox 2: Password Manager Bug Exposes Passwords

20061123 Re: Big Flaw in Firefox 2: Password Manager Bug Exposes Passwords

20061123 Re: Password Flaw also in Firefox 1.5.08. Was: Big Flaw in Firefox 2: Password Manager Bug Exposes Passwords

20061220 critical Flaw in Firefox 2.0.0.1 allows to steal the user passwords with a videoclip

20061221 Re: critical Flaw in Firefox 2.0.0.1 allows to steal the user passwords with a videoclip

20061222 Re[2]: critical Flaw in Firefox 2.0.0.1 allows to steal the user passwords with a videoclip

20070226 rPSA-2007-0040-1 firefox

20070303 rPSA-2007-0040-3 firefox thunderbird

21240

Exploit

22694

USN-428-1

ADV-2006-4662

ADV-2007-0718

https://bugzilla.mozilla.org/show_bug.cgi?id=360493

Exploit

firefox-passwordmgr-information-disclosure(30470)

https://issues.rpath.com/browse/RPL-1081

https://issues.rpath.com/browse/RPL-1103

oval:org.mitre.oval:def:10031

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.