Ads Mozilla / Mozilla Firefox Authentication Weakness Wednesday, 21 September 2005 Summary A security weakness has been discovered in Mozillas Authentication process, where instead of using the strongest authentication scheme from a list of available schemes, Mozilla would prefer the first one listed. Credit: The information has been provided by 3APA3A. The original article can be found at: http://www.security.nnov.ru/Jdocument717.html Details Vulnerable Systems: * Mozilla 1.7.11 (Windows version tested) * FireFox 1.0.6 (Windows version tested) Firefox and Mozilla browser have vulnerability in authentication mechanism implementation. Potential impact of this vulnerability is weak authentication protocol (for example cleartext) may be chosen for Web site authentication instead of stronger one. From RFC 2617: The user agent MUST choose to use one of the challenges with the strongest auth-scheme it understands and request credentials from the user based upon that challenge. Instead, Mozilla uses authentication schemes in the order of WWW-Authenticate headers sent by Web server. It may lead to situation weak authentication (for example cleartext "Basic" authentication) may be chosen by Mozilla while both server and Mozilla support stronger authentication mechanism. This links demonstrate initial handshake for different authentication protocols: http://www.security.nnov.ru/files/atest/basic.asp - Basic authentication http://www.security.nnov.ru/files/atest/digest.asp - Digest authentication http://www.security.nnov.ru/files/atest/ntlm.asp - NTLM authentication http://www.security.nnov.ru/files/atest/negotiate.asp - Negotiate authentication With this link you can check which protocol was chosen by browser, if server support few authentication protocols: http://www.security.nnov.ru/files/atest/all.asp For Mozilla/Firefox "Basic" authentication with cleartext login/password transmitted over the wire will be chosen by default. By pressing "Cancel" you can choose different authentication. CVE Information: CAN-2005-2395 Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=281851   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.