From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 20 Sep 2005 11:27:24 +0200
Subject: [NEWS] Mozilla / Mozilla Firefox Authentication Weakness
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050920083903.10E1457BE@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Mozilla / Mozilla Firefox Authentication Weakness
------------------------------------------------------------------------
SUMMARY
A security weakness has been discovered in Mozilla's Authentication
process, where instead of using the strongest authentication scheme from a
list of available schemes, Mozilla would prefer the first one listed.
DETAILS
Vulnerable Systems:
* Mozilla 1.7.11 (Windows version tested)
* FireFox 1.0.6 (Windows version tested)
Firefox and Mozilla browser have vulnerability in authentication mechanism
implementation. Potential impact of this vulnerability is weak
authentication protocol (for example cleartext) may be chosen for Web site
authentication instead of stronger one.
>From <http://www.faqs.org/rfcs/rfc2617.html>; RFC 2617:
The user agent MUST choose to use one of the challenges with the strongest
auth-scheme it understands and request credentials from the user based
upon that challenge.
Instead, Mozilla uses authentication schemes in the order of
WWW-Authenticate headers sent by Web server. It may lead to situation weak
authentication (for example cleartext "Basic" authentication) may be
chosen by Mozilla while both server and Mozilla support stronger
authentication mechanism.
This links demonstrate initial handshake for different authentication
protocols:
<http://www.security.nnov.ru/files/atest/basic.asp>;
http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication
<http://www.security.nnov.ru/files/atest/digest.asp>;
http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication
<http://www.security.nnov.ru/files/atest/ntlm.asp>;
http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication
<http://www.security.nnov.ru/files/atest/negotiate.asp>;
http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate
authentication
With this link you can check which protocol was chosen by browser, if
server support few authentication protocols:
<http://www.security.nnov.ru/files/atest/all.asp>;
http://www.security.nnov.ru/files/atest/all.asp
For Mozilla/Firefox "Basic" authentication with cleartext login/password
transmitted over the wire will be chosen by default. By pressing "Cancel"
you can choose different authentication.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2395>;
CAN-2005-2395
Bugzilla:
<https://bugzilla.mozilla.org/show_bug.cgi?id=281851>
https://bugzilla.mozilla.org/show_bug.cgi?id=281851
ADDITIONAL INFORMATION
The information has been provided by <mailto:3APA3A@security.nnov.ru.>
3APA3A.
The original article can be found at:
<http://www.security.nnov.ru/Jdocument717.html>;
http://www.security.nnov.ru/Jdocument717.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
