Bugzilla – Bug 117181
VUL-0: mozilla/firefox: authentication bypass/negotiation of wrong protocol
Last modified: 2009-10-13 21:27:35 UTC
Hello Wolfgang, here is another one... Delivery-Date: Wed, 14 Sep 2005 17:12:14 +0200 Date: Wed, 14 Sep 2005 15:41:45 +0400 From: 3APA3A <3APA3A@SECURITY.NNOV.RU> Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU> To: bugTraq <bugtraq@securityfocus.com>, full-disclosure@lists.grok.org.uk, security@mozilla.org Subject: Mozilla / Mozilla Firefox authentication weakness Envelope-To: tom@electric-sheep.org Dear bugTraq, I have reported this issue some time ago: http://www.security.nnov.ru/Fnews19.html but it looks like it was ignored, and not fixed in latest mozilla and firefox releases, so I decided to send "formal" advisory Issue: Mozilla browsers authentication weakness Author: 3APA3A <3APA3A@security.nnov.ru> Advisory URL: http://www.security.nnov.ru/Fnews19.html Vendor: Mozilla (http://www.mozilla.org) Products: Mozilla 1.7.11 (Windows version tested) FireFox 1.0.6 (Windows version tested) Type: Man-in-the-Middle, information leak Exploit: Not required I. Intro RFC 2617 defines Authentication mechanism for HTTP protocol. Any web browser implement this standard for web site access authentication. II. Vulnerability Firefox and Mozilla browser have vulnerability in authentication mechanism implementation. Potential impact of this vulnerability is weak authentication protocol (for example cleartext) may be chosen for Web site authentication instead of stronger one. III. Details From RFC 2617: The user agent MUST choose to use one of the challenges with the strongest auth-scheme it understands and request credentials from the user based upon that challenge. Instead, Mozilla uses authentication schemas in the order of WWW-Authenticate headers sent by Web server. It may lead to situation weak authentication (for example cleartext "Basic" authentication) may be chosen by Mozilla while both server and Mozilla support stronger authentication mechanism. IV. Demonstration This links demonstrate initial handshake for different authentication protocols: http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authentication With this link you can check which protocol was chosen by browser, if server support few authentication protocols: http://www.security.nnov.ru/files/atest/all.asp For Mozilla/Firefox "Basic" authentication with cleartext login/password transmitted over the wire will be chosen by default. By pressing "Cancel" you can choose different authentication. Internet Explorer offers strongest authentication. -- http://www.security.nnov.ru /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-------------o66o--+ / |/
CAN-2005-2395
https://bugzilla.mozilla.org/show_bug.cgi?id=281851 What is security-team's severity for this? According the the above bug it's not very critical.
For now it's ok to just fix it along with other updates.
ping? any update?
A patch is being worked on but for Mozilla this is no priority. Currently a first patch is available for discussion.
no, sorry. No upstream solution yet.
still not fixed. but public.
I'm leaving Novell. If TPM assistance is needed, please ask Joachim Plack (AMD related issues) or Oliver Ries (general x86_64/i386) for assitance.
i am suspending this bug for now. the fix must come from upstream and it probably will at some point in time.
mass reopening all SuSE Linux bugs that are set to REMIND+LATER to change the resolution to WONTFIX (adapting to new policy)
Closing old LATER+REMIND bugs as WONTFIX - if you still plan to work on it, feel free to reopen and set to ASSIGNED. In case the report saw repeated reopen comments, it's due to bugzilla timing out on the huge request ;(
again, bugfix needs to come from upstream, we cannot really do anything
CVE-2005-2395: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)