Mozilla / Mozilla Firefox authentication weakness Sep 14 2005 11:41AM
Dear bugTraq,

I have reported this issue some time ago:
but it looks like it was ignored, and not fixed in latest mozilla and
firefox releases, so I decided to send "formal" advisory

Issue: Mozilla browsers authentication weakness
Author: 3APA3A <3APA3A (at) security.nnov (dot) ru [email concealed]>
Advisory URL: http://www.security.nnov.ru/Fnews19.html
Vendor: Mozilla (http://www.mozilla.org)
Products: Mozilla 1.7.11 (Windows version tested)
FireFox 1.0.6 (Windows version tested)
Type: Man-in-the-Middle, information leak
Exploit: Not required

I. Intro

RFC 2617 defines Authentication mechanism for HTTP protocol. Any web
browser implement this standard for web site access authentication.

II. Vulnerability

Firefox and Mozilla browser have vulnerability in authentication
mechanism implementation. Potential impact of this vulnerability is
weak authentication protocol (for example cleartext) may be chosen for
Web site authentication instead of stronger one.

III. Details

From RFC 2617:

The user agent MUST
choose to use one of the challenges with the strongest auth-scheme it
understands and request credentials from the user based upon that

Instead, Mozilla uses authentication schemas in the order of
WWW-Authenticate headers sent by Web server. It may lead to situation
weak authentication (for example cleartext "Basic" authentication) may
be chosen by Mozilla while both server and Mozilla support stronger
authentication mechanism.

IV. Demonstration

This links demonstrate initial handshake for different authentication

http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication
http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication
http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication
http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authentication

With this link you can check which protocol was chosen by browser, if
server support few authentication protocols:
For Mozilla/Firefox "Basic" authentication with cleartext login/password
transmitted over the wire will be chosen by default. By pressing
"Cancel" you can choose different authentication. Internet Explorer
offers strongest authentication.

/\_/ { , . } |+--oQQo->{ ^ }<-----+ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus