Mozilla / Mozilla Firefox authentication weakness

Risk: Low
Local: No
Remote: Yes

CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Dear bugTraq, I have reported this issue some time ago: but it looks like it was ignored, and not fixed in latest mozilla and firefox releases, so I decided to send "formal" advisory Issue: Mozilla browsers authentication weakness Author: 3APA3A <3APA3A (at) security.nnov (dot) ru [email concealed]> Advisory URL: Vendor: Mozilla ( Products: Mozilla 1.7.11 (Windows version tested) FireFox 1.0.6 (Windows version tested) Type: Man-in-the-Middle, information leak Exploit: Not required I. Intro RFC 2617 defines Authentication mechanism for HTTP protocol. Any web browser implement this standard for web site access authentication. II. Vulnerability Firefox and Mozilla browser have vulnerability in authentication mechanism implementation. Potential impact of this vulnerability is weak authentication protocol (for example cleartext) may be chosen for Web site authentication instead of stronger one. III. Details From RFC 2617: The user agent MUST choose to use one of the challenges with the strongest auth-scheme it understands and request credentials from the user based upon that challenge. Instead, Mozilla uses authentication schemas in the order of WWW-Authenticate headers sent by Web server. It may lead to situation weak authentication (for example cleartext "Basic" authentication) may be chosen by Mozilla while both server and Mozilla support stronger authentication mechanism. IV. Demonstration This links demonstrate initial handshake for different authentication protocols: - Basic authentication - Digest authentication - NTLM authentication - Negotiate authentication With this link you can check which protocol was chosen by browser, if server support few authentication protocols: For Mozilla/Firefox "Basic" authentication with cleartext login/password transmitted over the wire will be chosen by default. By pressing "Cancel" you can choose different authentication. Internet Explorer offers strongest authentication. -- /_/ { , . } |+--oQQo->{ ^ }<-----+ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-------------o66o--+ / |/

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023,


Back to Top