[NEWS] Gecko Based Browsers HTTP Authentication Prompt Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 05/11/05

  • Next message: SecuriTeam: "[NT] GeoVision Digital Video Surveillance System Multiple Privilege Escalation"
    To: list@securiteam.com
    Date: 11 May 2005 15:13:48 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Gecko Based Browsers HTTP Authentication Prompt Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    The HTTP authentication prompt appears above the currently open tab
    regardless of which tab triggered it. A spoofer who could get a user to
    open a high value target in another tab might be able to capture the
    user's ID and password. HTTP authentication dialogs are visually distinct
    from the web form logins used by most commercial sites, and the HTTP
    authentication dialog clearly states which host it's for. Exploitation of
    this seems unlikely.

    DETAILS

    Vulnerable Systems:
     * K-Meleon Browser version 0.9
     * Mozilla suite version 1.7.5 and prior
     * Firefox version 1.0 and prior
     * Netscape version 7.2

    Immune Systems:
     * Mozilla suite version 1.7.6 or newer
     * Firefox version 1.0.1 or newer

    The bugzilla report about this issue gives the following example:
    "Steps to reproduce:
    1. Open testcase
    2. Open the website of your bank in another tab
    3. Wait 5 seconds"

    Testcase sayed: "Now open the website of your bank in another tab".
    Result:
    Dialog box 'Prompt' appeared with the following fields:
    User Name:
    and
    Password:.

    Dialog box was titled as "Enter username and password for "Acme Bank" at
    http://217.157.162.114" (generated by Web page
    217.157.162.114/misc/auth.php).

    "Expected result:
    The tab containing the testcase should be focused before an HTTP
    authentication dialog is opened."

    Tab containing the sample site chosen (typed) by the researcher was
    focused all the time during the test.

    "Actual result:
    An HTTP authentication dialog is opened while the tab showing the bank
    website has focus. This gives the impressions that the bank website
    spawned the dialog."

    That was the situation when tested behavior with Firefox 1.0.3 to get more
    information about this issue.

    NOTE: Exploitation of this vulnerability requires that trusted Web site is
    opened simultaneously at another browser tab.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0584>
    CAN-2005-0584

    Workaround:
    Don't visit trusted web sites while visiting untrusted web sites.
    When typing sensitive information to a Web site login dialog boxes, be
    sure that this site is a legitimate site.

    Disclosure Timeline:
    09-05-2005 - Vulnerability discovered
    10-05-2005 - Vendor (Netscape Communications) contacted
    10-05-2005 - Security companies and several CERT units informed
    10-05-2005 - Advisory published
    10-05-2005 - K-Meleon browser tested and confirmed as affected
    10-05-2005 - Vendor (K-Meleon developer team) contacted
    11-05-2005 - Security companies and CERT units informed K-Meleon 0.9 being
    affected as well

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:juha-matti.laurio@netti.fi>
    Juha-Matti Laurio .
    The original article can be found at:
    <http://www.networksecurity.fi/advisories/netscape-auth.html>
    http://www.networksecurity.fi/advisories/netscape-auth.html
    The Mozilla advisory can be found at:
    <http://www.mozilla.org/security/announce/mfsa2005-24.html>
    http://www.mozilla.org/security/announce/mfsa2005-24.html
    The Bugzilla report can be found at:
    <https://bugzilla.mozilla.org/show_bug.cgi?id=277574>
    https://bugzilla.mozilla.org/show_bug.cgi?id=277574

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] GeoVision Digital Video Surveillance System Multiple Privilege Escalation"

    Relevant Pages

    • [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
      (Securiteam)
    • [NT] Microsoft JScript Remote Code Execution (MS06-023)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... There is a remote code execution vulnerability in JScript. ... Configure Internet Explorer to prompt before running Active Scripting ...
      (Securiteam)
    • [NT] Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (MS07-042)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Vulnerability in Microsoft XML Core Services Could Allow Remote Code ... mode sets the security level for the Internet zone to High. ...
      (Securiteam)
    • [NT] Cumulative Security Update for Internet Explorer (MS05-052)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... A remote code execution vulnerability exists in the way Internet Explorer ...
      (Securiteam)
    • [NT] Microsoft Data Access Components (MDAC) Function Code Execution (MS06-014)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... Microsoft Data Access Components Function Code Execution ... for the Internet security zone to prompt before running ActiveX controls. ...
      (Securiteam)