Mozilla / Mozilla Firefox authentication weakness

2005.09.17
Risk: Low
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Dear bugTraq, I have reported this issue some time ago: http://www.security.nnov.ru/Fnews19.html but it looks like it was ignored, and not fixed in latest mozilla and firefox releases, so I decided to send "formal" advisory Issue: Mozilla browsers authentication weakness Author: 3APA3A <3APA3A (at) security.nnov (dot) ru [email concealed]> Advisory URL: http://www.security.nnov.ru/Fnews19.html Vendor: Mozilla (http://www.mozilla.org) Products: Mozilla 1.7.11 (Windows version tested) FireFox 1.0.6 (Windows version tested) Type: Man-in-the-Middle, information leak Exploit: Not required I. Intro RFC 2617 defines Authentication mechanism for HTTP protocol. Any web browser implement this standard for web site access authentication. II. Vulnerability Firefox and Mozilla browser have vulnerability in authentication mechanism implementation. Potential impact of this vulnerability is weak authentication protocol (for example cleartext) may be chosen for Web site authentication instead of stronger one. III. Details From RFC 2617: The user agent MUST choose to use one of the challenges with the strongest auth-scheme it understands and request credentials from the user based upon that challenge. Instead, Mozilla uses authentication schemas in the order of WWW-Authenticate headers sent by Web server. It may lead to situation weak authentication (for example cleartext "Basic" authentication) may be chosen by Mozilla while both server and Mozilla support stronger authentication mechanism. IV. Demonstration This links demonstrate initial handshake for different authentication protocols: http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authentication With this link you can check which protocol was chosen by browser, if server support few authentication protocols: http://www.security.nnov.ru/files/atest/all.asp For Mozilla/Firefox "Basic" authentication with cleartext login/password transmitted over the wire will be chosen by default. By pressing "Cancel" you can choose different authentication. Internet Explorer offers strongest authentication. -- http://www.security.nnov.ru /_/ { , . } |+--oQQo->{ ^ }<-----+ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-------------o66o--+ / |/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top