Sorry guys,
the problem is the same with acroread standalone, not only with the plugin!
Thanx,
best regards..
---------- Forwarded message ----------
From: Pietro Cerutti <pietro.cerutti@gmail.com>
Date: 2-dic-2005 13.43
Subject: acroread security problem
To: freebsd-security@freebsd.org
Dear all,
I think there's a security problem with the acroread plugin for firefox.
I'm using sysutils/pwsafe to manage my passwords. A feature of this
tool is that it can copy the requested password to the X clipboard,
allowing the user to paste it (eg. in a password box), never seeing
the pass in clear.
When I load a PDF document in Firefox, the acroread process lives on
even after the PDF document is closed:
$ pgrep acroread
17260
and reads anything I copy in the X clipboard.
So when I use pwsafe to get a password, the pass is sent to the
acroread process:
$ pwsafe -p gmail
Going to copy password to X selection
Enter passphrase for /home/piter/.pwsafe.dat: [xxx]
You are ready to paste the password for gmail from PRIMARY and CLIPBOARD
Press any key when done
Sending password for gmail to acroread@gahr via CLIPBOARD
and this is done automatically. Note that I dind't touch any key after
writing the main password of pwsafe (noted [xxx] in the code above).
Can anyone explain this behaviour?
Thank you very much, best regards.
[list of ports installed]
www/firefox: firefox-1.5,1
www/linuxpluginwrapper: linuxpluginwrapper-20050910
print/acroread7: acroread7-7.0.1
--
Pietro Cerutti
<pietro.cerutti@gmail.com>
Beansidhe - SwiSS Death / Thrash Metal
<www.beansidhe.ch>
Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming or what?"
--
Pietro Cerutti
<pietro.cerutti@gmail.com>
Beansidhe - SwiSS Death / Thrash Metal
<www.beansidhe.ch>
Windows: "Where do you want to go today?"
Linux: "Where do you want to go tomorrow?"
FreeBSD: "Are you guys coming or what?"