PT-2006-6722 · Mozilla+3 · Firefox+3

Published

2006-11-24

·

Updated

2024-12-12

·

CVE-2006-6077

CVSS v2.0

5.0

Medium

VectorAV:N/AC:L/Au:N/C:P/I:N/A:N
Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions 2.0 and 1.5.0.8 and earlier Netscape versions 8.1.2 and possibly other versions
Description The issue concerns the password management functionality in the affected browsers. It does not properly verify that the ACTION URL in a FORM element containing a password INPUT element matches the web site for which the user stored a password. This allows remote attackers to obtain passwords via a password INPUT element on a different web page located on the web site intended for this password.
Recommendations For Mozilla Firefox versions 2.0 and 1.5.0.8 and earlier, update to a version that properly verifies the ACTION URL in a FORM element containing a password INPUT element. For Netscape versions 8.1.2 and possibly other versions, update to a version that properly verifies the ACTION URL in a FORM element containing a password INPUT element. As a temporary workaround, consider disabling the password management functionality until a patch is available.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Related Identifiers

CVE-2006-6077
DSA-1336-1
HPSBUX02153
OPENSUSE-SU-2024:10600-1
OPENSUSE-SU-2024:14572-1
RHSA-2007:0077
RHSA-2007:0078
RHSA-2007:0079
RHSA-2007:0097
RHSA-2007:0108
RHSA-2007_0077
RHSA-2007_0078
RHSA-2007_0079
RHSA-2007_0097
RHSA-2007_0108

Affected Products

Hp-Ux
Firefox
Netscape
Red Hat