Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Reverse Cross-Site Request (RCSR) vulnerability InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Reverse Cross-Site Request (RCSR) vulnerability

Published: 2006-11-22
Last Updated: 2006-11-22 14:43:18 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
A new vulnerability in Firefox has been recently disclosed. The password saving functionality of Firefox can be exploited to expose usernames and passwords to other sites, such as those used for blogs or any page requesting user input. The proof of concept page shows the username and password input in a google URL. They are calling it a Reverse Cross-Site Request (RCSR) vulnerability. The advisory appears here. This type of attack vector appears to also affect Internet Explorer.

Bugzilla link.

Mozilla has apparently been advised of the vulnerability, there currently is no vendor patch. The workaround in this particular case would be to never use Firefox to save passwords for any web site. The option is under Tools, Options, Security. Here is a link showing how to disable it.

Thanks to our reader Carsten for letting us know.

Adrien de Beaupre
0 comment(s)
Diary Archives