Date: Fri, 2 Dec 2005 13:43:49 +0100 From: Pietro Cerutti <pietro.cerutti@gmail.com> To: freebsd-security@freebsd.org Subject: acroread security problem Message-ID: <e572718c0512020443g35200aebn@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Dear all, I think there's a security problem with the acroread plugin for firefox. I'm using sysutils/pwsafe to manage my passwords. A feature of this tool is that it can copy the requested password to the X clipboard, allowing the user to paste it (eg. in a password box), never seeing the pass in clear. When I load a PDF document in Firefox, the acroread process lives on even after the PDF document is closed: $ pgrep acroread 17260 and reads anything I copy in the X clipboard. So when I use pwsafe to get a password, the pass is sent to the acroread process: $ pwsafe -p gmail Going to copy password to X selection Enter passphrase for /home/piter/.pwsafe.dat: [xxx] You are ready to paste the password for gmail from PRIMARY and CLIPBOARD Press any key when done Sending password for gmail to acroread@gahr via CLIPBOARD and this is done automatically. Note that I dind't touch any key after writing the main password of pwsafe (noted [xxx] in the code above). Can anyone explain this behaviour? Thank you very much, best regards. [list of ports installed] www/firefox: firefox-1.5,1 www/linuxpluginwrapper: linuxpluginwrapper-20050910 print/acroread7: acroread7-7.0.1 -- Pietro Cerutti <pietro.cerutti@gmail.com> Beansidhe - SwiSS Death / Thrash Metal <www.beansidhe.ch> Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming or what?"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e572718c0512020443g35200aebn>