Dear bugTraq,
I have reported this issue some time ago:
http://www.security.nnov.ru/Fnews19.html
but it looks like it was ignored, and not fixed in latest mozilla and
firefox releases, so I decided to send "formal" advisory
Issue: Mozilla browsers authentication weakness
Author: 3APA3A <3APA3A (at) security.nnov (dot) ru [email concealed]>
Advisory URL: http://www.security.nnov.ru/Fnews19.html
Vendor: Mozilla (http://www.mozilla.org)
Products: Mozilla 1.7.11 (Windows version tested)
FireFox 1.0.6 (Windows version tested)
Type: Man-in-the-Middle, information leak
Exploit: Not required
I. Intro
RFC 2617 defines Authentication mechanism for HTTP protocol. Any web
browser implement this standard for web site access authentication.
II. Vulnerability
Firefox and Mozilla browser have vulnerability in authentication
mechanism implementation. Potential impact of this vulnerability is
weak authentication protocol (for example cleartext) may be chosen for
Web site authentication instead of stronger one.
III. Details
From RFC 2617:
The user agent MUST
choose to use one of the challenges with the strongest auth-scheme it
understands and request credentials from the user based upon that
challenge.
Instead, Mozilla uses authentication schemas in the order of
WWW-Authenticate headers sent by Web server. It may lead to situation
weak authentication (for example cleartext "Basic" authentication) may
be chosen by Mozilla while both server and Mozilla support stronger
authentication mechanism.
IV. Demonstration
This links demonstrate initial handshake for different authentication
protocols:
http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication
http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication
http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication
http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authentication
With this link you can check which protocol was chosen by browser, if
server support few authentication protocols:
http://www.security.nnov.ru/files/atest/all.asp
For Mozilla/Firefox "Basic" authentication with cleartext login/password
transmitted over the wire will be chosen by default. By pressing
"Cancel" you can choose different authentication. Internet Explorer
offers strongest authentication.
--
http://www.security.nnov.ru
/_/ { , . } |+--oQQo->{ ^ }<-----+ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/