Closed
Bug 329746
Opened 18 years ago
Closed 18 years ago
Content injection spoofing with a space before colon in HTTP header
Categories
(Core :: Networking: HTTP, defect, P1)
Core
Networking: HTTP
Tracking
()
RESOLVED
FIXED
mozilla1.8.1
People
(Reporter: kohei, Assigned: darin.moz)
References
Details
(Keywords: fixed1.8.1, testcase, verified1.8.0.4, Whiteboard: [sg:high])
Attachments
(6 files)
|
75.70 KB,
image/png
|
Details | |
|
74.88 KB,
image/png
|
Details | |
|
725 bytes,
text/plain
|
Details | |
|
655 bytes,
text/plain
|
Details | |
|
10.43 KB,
patch
|
Biesinger
:
review+
bzbarsky
:
superreview+
bzbarsky
:
approval-branch-1.8.1+
dveditz
:
approval1.8.0.4+
|
Details | Diff | Splinter Review |
|
9.44 KB,
patch
|
Details | Diff | Splinter Review |
data flow chart
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1 Build Identifier: N/A Note: This bug was originally reported to IPA (Information-technology Promotion Agency, Japan) and forwarded to us at Mozilla Japan. I'm NOT original reporter. Don't mention my name in the security advisory. For more information about IPA, visit http://www.ipa.go.jp/about/english/ IPA#62734622 Attackers can forge a Web page on another domain by sending the HTTP response including Transfer-Encoding header with a space between header name and colon (:). This could be used for the real phishing to steal sensitive data, such as user password or cookies. Windows XP Professional SP2 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060129 Firefox/1.6a1 Reproducible: Sometimes Steps to Reproduce: 1. Set up Firefox to use Microsoft Internet Security & Acceleration Server 2004 (ISA Server) for HTTP proxy 2. Provide the proxy with HTTP response with the following conditions: A. "Content-Length" header is included B. "Transfer-Encoding : chunked" is included (note a space between "Encoding" and ":") C. response length with chunk size data of B is shorter than the value of A Actual Results: "Transfer-Encoding SP" header (Transfer-Encoding header with a space) is not defined by HTTP/1.1. Therefore, ISA Server will send data of the number of bytes specified by Content-Length header to the browser. Transfer-Encoding header with a space will be transferred as is. This is appropriate behavior compliant with HTTP/1.1. Received the response via proxy, Firefox recognizes "Transfer-Encoding SP" header as "Transfer-Encoding" header and understands that the response body is chunked encoded. The rest of response determined by the condition C is incorrectly recognized as the response of following HTTP request. Expected Results: The rest of response should not be recognized as the response of following HTTP request. The malicious Web site admins can target Firefox users who use HTT/1.1 proxy to steal cookies or build web pages including fake login form for arbitrary domains. Workaround: Don't use ISA Server More info coming.
|
Reporter | |
Comment 2•18 years ago
|
||
IPA send us the data flow chart. I attach it.
|
|
Reporter | |
Comment 3•18 years ago
|
||
Here is another chart. This bug can also be reproduced with Content-Length header.
|
|
Reporter | |
Comment 4•18 years ago
|
||
Nominate for blocking.
Flags: blocking1.8.1?
Flags: blocking1.8.0.2?
|
||
Updated•18 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9a1+
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.3?
Flags: blocking1.8.0.2?
Flags: blocking1.7.14?
Flags: blocking-aviary1.0.9?
|
|
Reporter | |
Comment 6•18 years ago
|
||
Any updates?
|
Assignee | |
Updated•18 years ago
|
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.8.1
|
|
Assignee | |
Comment 7•18 years ago
|
||
I don't think spaces around the colon have anything to do with this problem. Firefox prefers the last Content-Length header over the first, and it will prefer "Tranfer-Encoding: chunked" over a given Content-Length.
|
|
Assignee | |
Comment 8•18 years ago
|
||
OK, nevermind. I understand now. This problem occurs because Firefox tolerates headers that are malformed. ISA proxy on the other hand, ignores the malformed headers, and therefore this bug gets introduced. I recall that we added support for sloppy header parsing for consistency with IE because many websites serve malformed headers. Some, even send '=' instead of ':'. I'm not sure how to proceed. If we make Firefox conform strictly to RFC 2616, then we risk breaking web site compatibility. If we do not, then we risk security.
|
|
Assignee | |
Comment 9•18 years ago
|
||
Here's the code that Firefox uses to parse response headers: http://lxr.mozilla.org/mozilla/source/netwerk/protocol/http/src/nsHttpHeaderArray.cpp#131 The comment documents the parsing rules that we implement.
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.0.3? → blocking1.8.0.3+
Whiteboard: [sg:high]
|
|
Assignee | |
Comment 10•18 years ago
|
||
The patch for this bug will conflict with the patch for bug 328817, so I'm making this bug depend on that bug.
Depends on: 328817
|
|
Assignee | |
Comment 11•18 years ago
|
||
|
|
Assignee | |
Comment 12•18 years ago
|
||
|
|
Assignee | |
Comment 13•18 years ago
|
||
I have IE, version 6.0.2900.2180.xpsp_sp2_gdr.050301-1519, and it does not appear to be vulnerable to this problem. It seems like Microsoft must have tightened up the header parsing in IE somewhere along the way, or maybe ruslan was wrong: https://bugzilla.mozilla.org/show_bug.cgi?id=29219#c14 It seems that the best fix might be to make our header parsing strict again given the ubiquity of IE 6.
|
|
Assignee | |
Comment 14•18 years ago
|
||
Attachment #217369 -
Flags: superreview?(bzbarsky)
Attachment #217369 -
Flags: review?(cbiesinger)
|
|
Assignee | |
Comment 15•18 years ago
|
||
Safari also implements strict header parsing from what I can tell.
|
||
Updated•18 years ago
|
Attachment #217369 -
Flags: superreview?(bzbarsky) → superreview+
|
||
Comment 16•18 years ago
|
||
Comment on attachment 217369 [details] [diff] [review] v1 patch the table and nsHttp::IsValidToken were just moved without changes, right?
Attachment #217369 -
Flags: review?(cbiesinger) → review+
|
|
Assignee | |
Comment 17•18 years ago
|
||
> the table and nsHttp::IsValidToken were just moved without changes, right?
Right.|
|
Assignee | |
Comment 18•18 years ago
|
||
fixed-on-trunk
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•18 years ago
|
Attachment #217369 -
Flags: approval1.8.0.3?
Attachment #217369 -
Flags: approval-branch-1.8.1?(bzbarsky)
|
|
||
Updated•18 years ago
|
Attachment #217369 -
Flags: approval-branch-1.8.1?(bzbarsky) → approval-branch-1.8.1+
|
|
||
Comment 20•18 years ago
|
||
Comment on attachment 217369 [details] [diff] [review] v1 patch approved for 1.8.0 branch, a=dveditz for drivers
Attachment #217369 -
Flags: approval1.8.0.3? → approval1.8.0.3+
|
||
Comment 22•18 years ago
|
||
v.fixed on 1.8.0 branch: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060420 Firefox/1.5.0.2, no "hacked" popups with either of Darin's testcases, the second headers sent are not processed.
Keywords: fixed1.8.0.3 → verified1.8.0.3
|
|
||
Updated•18 years ago
|
Whiteboard: [sg:high] → [sg:high] coordinate advisory release with IPA
|
|
Reporter | |
Comment 23•18 years ago
|
||
IPA have confirmed that this vulnerability affects Firefox only. It's OK to publish security advisory as of Firefox 1.5.0.4. Thanks!
Whiteboard: [sg:high] coordinate advisory release with IPA → [sg:high]
|
|
Reporter | |
Comment 24•18 years ago
|
||
IPA told us that the original reporter is Kazuho Oku (Cybozu Labs). FYI: http://labs.cybozu.co.jp/en/archives/2005-08-16-1.html dveditz: Please mention his name in the upcoming advisory.
|
|
||
Updated•18 years ago
|
Group: security
|
||
Comment 25•18 years ago
|
||
proposed backport
|
|
||
Updated•18 years ago
|
Attachment #225476 -
Flags: review?(caillon)
You need to log in
before you can comment on or make changes to this bug.
Description
•