Mozilla Foundation Security Advisory 2005-17

Install source spoofing with user:pass@host

Announced

February 24, 2005

Reporter

Phil Ringnalda

Risk

Low

Impact

Low

Products

Firefox, Mozilla Suite, Thunderbird

Fixed in

Firefox 1.0.1
Mozilla Suite 1.7.6
Thunderbird 1.0.2

Description

The installation confirmation dialog shows the source of the software. By adding a long, fake "user:pass" in front of the true hostname the user might be convinced to trust software that comes from an untrustworthy source. This is similar to attempts used in some phishing mail: "http://www.mozilla.org@attacker.com/install.xpi".

By default Firefox only allows install attempts from http://update.mozilla.org, a user would need to explicitly allow the spoofing host to initiate installs before it could try this trick.

Workaround

Do not install software when prompted by untrusted sites. Enlarge the install confirmation dialog and verify that "@" does not appear before the first "/" character.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=268059

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice