Netscape Browser version 8.1.2 is confirmed as affected too.
Vendor was contacted on 23th november, 2006.
When visiting the PoC address the following URL (Chapin Information Services - Google Search) was generated:
http://www.google.com/search?q=Chapin+Information+Services&loginuser=testuser&loginpass=pass&x=467&y=642
listing the Username 'testuser' and Password 'pass' as part of URL too.
It is required that user will accept the Save New Passcard window with 'OK' and option Fill & Submit when visiting the site again.
Workaround:
Use "Never save login information for this site" option.
Password Manager is known as Passcard Manager in Netscape.
Juha-Matti Laurio,
Networksecurity.fi
Michael Scheidell <scheidell@xxxxxxxxxx> wrote:
Looks like this also affects FireFox 1.5.08.
