[NEWS] Mozilla / Mozilla Firefox Authentication Weakness

• Previous message: SecuriTeam: "[UNIX] Two Bugzilla Information Disclosure Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 20 Sep 2005 11:27:24 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Mozilla / Mozilla Firefox Authentication Weakness
------------------------------------------------------------------------

SUMMARY

A security weakness has been discovered in Mozilla's Authentication
process, where instead of using the strongest authentication scheme from a
list of available schemes, Mozilla would prefer the first one listed.

DETAILS

Vulnerable Systems:
 * Mozilla 1.7.11 (Windows version tested)
 * FireFox 1.0.6 (Windows version tested)

Firefox and Mozilla browser have vulnerability in authentication mechanism
 implementation. Potential impact of this vulnerability is weak
authentication protocol (for example cleartext) may be chosen for Web site
authentication instead of stronger one.

From <http://www.faqs.org/rfcs/rfc2617.html> RFC 2617:
The user agent MUST choose to use one of the challenges with the strongest
auth-scheme it understands and request credentials from the user based
upon that challenge.

Instead, Mozilla uses authentication schemes in the order of
WWW-Authenticate headers sent by Web server. It may lead to situation weak
authentication (for example cleartext "Basic" authentication) may be
chosen by Mozilla while both server and Mozilla support stronger
authentication mechanism.

This links demonstrate initial handshake for different authentication
protocols:
 <http://www.security.nnov.ru/files/atest/basic.asp>
http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication
 <http://www.security.nnov.ru/files/atest/digest.asp>
http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication
 <http://www.security.nnov.ru/files/atest/ntlm.asp>
http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication
 <http://www.security.nnov.ru/files/atest/negotiate.asp>
http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate
authentication

With this link you can check which protocol was chosen by browser, if
server support few authentication protocols:
 <http://www.security.nnov.ru/files/atest/all.asp>
http://www.security.nnov.ru/files/atest/all.asp
For Mozilla/Firefox "Basic" authentication with cleartext login/password
transmitted over the wire will be chosen by default. By pressing "Cancel"
you can choose different authentication.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2395>
CAN-2005-2395

Bugzilla:
 <https://bugzilla.mozilla.org/show_bug.cgi?id=281851>
https://bugzilla.mozilla.org/show_bug.cgi?id=281851

ADDITIONAL INFORMATION

The information has been provided by <mailto:3APA3A@security.nnov.ru>
3APA3A.
The original article can be found at:
<http://www.security.nnov.ru/Jdocument717.html>
http://www.security.nnov.ru/Jdocument717.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] Two Bugzilla Information Disclosure Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]