TUCoPS :: Browsers :: v7-1108.htm

Mozilla / Mozilla Firefox authentication weakness
Mozilla / Mozilla Firefox authentication weakness
Mozilla / Mozilla Firefox authentication weakness

Dear bugTraq,

  I  have  reported  this issue some time ago:
  but  it looks like it was ignored, and not fixed in latest mozilla and
  firefox releases, so I decided to send "formal" advisory

Issue:              Mozilla browsers authentication weakness
Author: 3APA3A <3APA3A@security.nnov.ru> 
Advisory URL: http://www.security.nnov.ru/Fnews19.html 
Vendor: Mozilla (http://www.mozilla.org) 
Products:           Mozilla 1.7.11 (Windows version tested)
                    FireFox 1.0.6 (Windows version tested)
Type:               Man-in-the-Middle, information leak
Exploit:            Not required

I. Intro

 RFC  2617  defines  Authentication mechanism for HTTP protocol. Any web
 browser implement this standard for web site access authentication.

II. Vulnerability

 Firefox  and  Mozilla  browser  have  vulnerability  in  authentication
 mechanism  implementation.  Potential  impact  of this vulnerability is
 weak  authentication protocol (for example cleartext) may be chosen for
 Web site authentication instead of stronger one.

III. Details

From RFC 2617:

   The user agent MUST
   choose to use one of the challenges with the strongest auth-scheme it
   understands and request credentials from the user based upon that

 Instead,   Mozilla   uses   authentication  schemas  in  the  order  of
 WWW-Authenticate  headers  sent by Web server. It may lead to situation
 weak  authentication (for example cleartext "Basic" authentication) may
 be  chosen  by  Mozilla  while both server and Mozilla support stronger
 authentication mechanism.

IV. Demonstration

This  links  demonstrate  initial handshake for different authentication

http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication 
http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication 
http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication 
http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authentication 

With  this  link  you can check which protocol was chosen by browser, if
server support few authentication protocols:
For Mozilla/Firefox "Basic" authentication with cleartext login/password
transmitted  over  the  wire  will  be  chosen  by  default. By pressing
"Cancel"  you  can  choose  different  authentication. Internet Explorer
offers strongest authentication.
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH