Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:9717
HistorySep 14, 2005 - 12:00 a.m.

Mozilla / Mozilla Firefox authentication weakness

2005-09-1400:00:00
vulners.com
107
JSON

Dear bugTraq,

I have reported this issue some time ago:
http://www.security.nnov.ru/Fnews19.html
but it looks like it was ignored, and not fixed in latest mozilla and
firefox releases, so I decided to send "formal" advisory

Issue: Mozilla browsers authentication weakness
Author: 3APA3A <[email protected]>
Advisory URL: http://www.security.nnov.ru/Fnews19.html
Vendor: Mozilla (http://www.mozilla.org)
Products: Mozilla 1.7.11 (Windows version tested)
FireFox 1.0.6 (Windows version tested)
Type: Man-in-the-Middle, information leak
Exploit: Not required

I. Intro

RFC 2617 defines Authentication mechanism for HTTP protocol. Any web
browser implement this standard for web site access authentication.

II. Vulnerability

Firefox and Mozilla browser have vulnerability in authentication
mechanism implementation. Potential impact of this vulnerability is
weak authentication protocol (for example cleartext) may be chosen for
Web site authentication instead of stronger one.

III. Details

From RFC 2617:

The user agent MUST
choose to use one of the challenges with the strongest auth-scheme it
understands and request credentials from the user based upon that
challenge.

Instead, Mozilla uses authentication schemas in the order of
WWW-Authenticate headers sent by Web server. It may lead to situation
weak authentication (for example cleartext "Basic" authentication) may
be chosen by Mozilla while both server and Mozilla support stronger
authentication mechanism.

IV. Demonstration

This links demonstrate initial handshake for different authentication
protocols:

http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication
http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication
http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication
http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authentication

With this link you can check which protocol was chosen by browser, if
server support few authentication protocols:
http://www.security.nnov.ru/files/atest/all.asp
For Mozilla/Firefox "Basic" authentication with cleartext login/password
transmitted over the wire will be chosen by default. By pressing
"Cancel" you can choose different authentication.


http://www.security.nnov.ru
/\_/\
{ , . } |\
±-oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
±------------o66o–+ /
|/

JSON