Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Full Disclosure: Mozilla / Mozilla Firefox authentication weakness

Mozilla / Mozilla Firefox authentication weakness

From: 3APA3A <3APA3A_at_SECURITY.NNOV.RU>
Date: Wed, 14 Sep 2005 15:41:45 +0400

Dear bugTraq,

  I have reported this issue some time ago:
  http://www.security.nnov.ru/Fnews19.html
  but it looks like it was ignored, and not fixed in latest mozilla and
  firefox releases, so I decided to send "formal" advisory

Issue: Mozilla browsers authentication weakness
Author: 3APA3A <3APA3A_at_security.nnov.ru>
Advisory URL: http://www.security.nnov.ru/Fnews19.html
Vendor: Mozilla (http://www.mozilla.org)
Products: Mozilla 1.7.11 (Windows version tested)
                    FireFox 1.0.6 (Windows version tested)
Type: Man-in-the-Middle, information leak
Exploit: Not required

I. Intro

 RFC 2617 defines Authentication mechanism for HTTP protocol. Any web
 browser implement this standard for web site access authentication.

II. Vulnerability

 Firefox and Mozilla browser have vulnerability in authentication
 mechanism implementation. Potential impact of this vulnerability is
 weak authentication protocol (for example cleartext) may be chosen for
 Web site authentication instead of stronger one.

III. Details

From RFC 2617:

   The user agent MUST
   choose to use one of the challenges with the strongest auth-scheme it
   understands and request credentials from the user based upon that
   challenge.

 Instead, Mozilla uses authentication schemas in the order of
 WWW-Authenticate headers sent by Web server. It may lead to situation
 weak authentication (for example cleartext "Basic" authentication) may
 be chosen by Mozilla while both server and Mozilla support stronger
 authentication mechanism.

IV. Demonstration

This links demonstrate initial handshake for different authentication
protocols:

http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication
http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication
http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication
http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authentication

With this link you can check which protocol was chosen by browser, if
server support few authentication protocols:
http://www.security.nnov.ru/files/atest/all.asp
For Mozilla/Firefox "Basic" authentication with cleartext login/password
transmitted over the wire will be chosen by default. By pressing
"Cancel" you can choose different authentication. Internet Explorer
offers strongest authentication.
  

-- 
http://www.security.nnov.ru
         /\_/\
        { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                    |/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Received on Sep 14 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]