Red Hat Bugzilla – Bug 149936
CAN-2005-0590 Install source spoofing with user:pass@host
Last modified: 2007-11-30 17:07:16 EST
The installation confirmation dialog shows the source of the software. By adding
a long, fake "user:pass" in front of the true hostname the user might be
convinced to trust software that comes from an untrustworthy source. This is
similar to attempts used in some phishing mail:
By default Firefox only allows install attempts from http://update.mozilla.org,
a user would need to explicitly allow the spoofing host to initiate installs
before it could try this trick.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.