[NEWS] Gecko Based Browsers HTTP Authentication Prompt Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 05/11/05
- Previous message: SecuriTeam: "[NT] APG Classmaster Weak Permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 11 May 2005 15:13:48 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Gecko Based Browsers HTTP Authentication Prompt Vulnerability
------------------------------------------------------------------------
SUMMARY
The HTTP authentication prompt appears above the currently open tab
regardless of which tab triggered it. A spoofer who could get a user to
open a high value target in another tab might be able to capture the
user's ID and password. HTTP authentication dialogs are visually distinct
from the web form logins used by most commercial sites, and the HTTP
authentication dialog clearly states which host it's for. Exploitation of
this seems unlikely.
DETAILS
Vulnerable Systems:
* K-Meleon Browser version 0.9
* Mozilla suite version 1.7.5 and prior
* Firefox version 1.0 and prior
* Netscape version 7.2
Immune Systems:
* Mozilla suite version 1.7.6 or newer
* Firefox version 1.0.1 or newer
The bugzilla report about this issue gives the following example:
"Steps to reproduce:
1. Open testcase
2. Open the website of your bank in another tab
3. Wait 5 seconds"
Testcase sayed: "Now open the website of your bank in another tab".
Result:
Dialog box 'Prompt' appeared with the following fields:
User Name:
and
Password:.
Dialog box was titled as "Enter username and password for "Acme Bank" at
http://217.157.162.114" (generated by Web page
217.157.162.114/misc/auth.php).
"Expected result:
The tab containing the testcase should be focused before an HTTP
authentication dialog is opened."
Tab containing the sample site chosen (typed) by the researcher was
focused all the time during the test.
"Actual result:
An HTTP authentication dialog is opened while the tab showing the bank
website has focus. This gives the impressions that the bank website
spawned the dialog."
That was the situation when tested behavior with Firefox 1.0.3 to get more
information about this issue.
NOTE: Exploitation of this vulnerability requires that trusted Web site is
opened simultaneously at another browser tab.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0584>
CAN-2005-0584
Workaround:
Don't visit trusted web sites while visiting untrusted web sites.
When typing sensitive information to a Web site login dialog boxes, be
sure that this site is a legitimate site.
Disclosure Timeline:
09-05-2005 - Vulnerability discovered
10-05-2005 - Vendor (Netscape Communications) contacted
10-05-2005 - Security companies and several CERT units informed
10-05-2005 - Advisory published
10-05-2005 - K-Meleon browser tested and confirmed as affected
10-05-2005 - Vendor (K-Meleon developer team) contacted
11-05-2005 - Security companies and CERT units informed K-Meleon 0.9 being
affected as well
ADDITIONAL INFORMATION
The information has been provided by <mailto:juha-matti.laurio@netti.fi>
Juha-Matti Laurio .
The original article can be found at:
<http://www.networksecurity.fi/advisories/netscape-auth.html>
http://www.networksecurity.fi/advisories/netscape-auth.html
The Mozilla advisory can be found at:
<http://www.mozilla.org/security/announce/mfsa2005-24.html>
http://www.mozilla.org/security/announce/mfsa2005-24.html
The Bugzilla report can be found at:
<https://bugzilla.mozilla.org/show_bug.cgi?id=277574>
https://bugzilla.mozilla.org/show_bug.cgi?id=277574
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] APG Classmaster Weak Permissions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
