The installation confirmation dialog shows the source of the software. By adding a long, fake "user:pass" in front of the true hostname the user might be convinced to trust software that comes from an untrustworthy source. This is similar to attempts used in some phishing mail: "http://www.mozilla.org@attacker.com/install.xpi". By default Firefox only allows install attempts from http://update.mozilla.org, a user would need to explicitly allow the spoofing host to initiate installs before it could try this trick. http://www.mozilla.org/security/announce/mfsa2005-17.html
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-176.html