Bugtraqmailing list archives

By Date

By Thread

Mozilla / Mozilla Firefox authentication weakness

Dear bugTraq,  I  have  reported  this issue some time ago:http://www.security.nnov.ru/Fnews19.html  but  it looks like it was ignored, and not fixed in latest mozilla and  firefox releases, so I decided to send "formal" advisoryIssue:              Mozilla browsers authentication weaknessAuthor:             3APA3A <3APA3A () security nnov ru>Advisory URL:http://www.security.nnov.ru/Fnews19.htmlVendor:             Mozilla (http://www.mozilla.org)Products:           Mozilla 1.7.11 (Windows version tested)                    FireFox 1.0.6 (Windows version tested)Type:               Man-in-the-Middle, information leakExploit:            Not requiredI. Intro RFC  2617  defines  Authentication mechanism for HTTP protocol. Any web browser implement this standard for web site access authentication.II. Vulnerability Firefox  and  Mozilla  browser  have  vulnerability  in  authentication mechanism  implementation.  Potential  impact  of this vulnerability is weak  authentication protocol (for example cleartext) may be chosen for Web site authentication instead of stronger one.III. DetailsFrom RFC 2617:   The user agent MUST   choose to use one of the challenges with the strongest auth-scheme it   understands and request credentials from the user based upon that   challenge. Instead,   Mozilla   uses   authentication  schemas  in  the  order  of WWW-Authenticate  headers  sent by Web server. It may lead to situation weak  authentication (for example cleartext "Basic" authentication) may be  chosen  by  Mozilla  while both server and Mozilla support stronger authentication mechanism.IV. DemonstrationThis  links  demonstrate  initial handshake for different authenticationprotocols:http://www.security.nnov.ru/files/atest/basic.asp - Basic authenticationhttp://www.security.nnov.ru/files/atest/digest.asp - Digest authenticationhttp://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authenticationhttp://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authenticationWith  this  link  you can check which protocol was chosen by browser, ifserver support few authentication protocols:http://www.security.nnov.ru/files/atest/all.aspFor Mozilla/Firefox "Basic" authentication with cleartext login/passwordtransmitted  over  the  wire  will  be  chosen  by  default. By pressing"Cancel"  you  can  choose  different  authentication. Internet Exploreroffers strongest authentication. --http://www.security.nnov.ru         /\_/\        { , . }     |\+--oQQo->{ ^ }<-----+ \|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)+-------------o66o--+ /                    |/

By Date

By Thread

Current thread:

• Mozilla / Mozilla Firefox authentication weakness3APA3A (Sep 14)
  • Re: [Full-disclosure] Mozilla / Mozilla Firefox authentication weaknessDaniel Veditz (Sep 15)