Closed
Bug 1095859
(CVE-2014-8639)
Opened 10 years ago
Closed 10 years ago
Cookie injection by Proxy with 407 response
Categories
(Core :: Networking, defect)
Tracking
()
People
(Reporter: iliwoy, Assigned: mcmanus)
References
Details
(Keywords: sec-moderate, Whiteboard: [adv-main35+][adv-esr31.4+][b2g-adv-main2.2-])
Attachments
(1 file)
5.18 KB,
patch
|
valentin
:
review+
lsblakk
:
approval-mozilla-aurora+
lmandel
:
approval-mozilla-beta-
bkerensa
:
approval-mozilla-esr31+
bajaj
:
approval-mozilla-b2g34+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.111 Safari/537.36
Steps to reproduce:
1. Set up a HTTP proxy in Firefox.
2. Navigate to https://mail.google.com.
Chrome actually sends a CONNECT request:
CONNECT mail.google.com:443 HTTP/1.1
Host: mail.google.com
3. The proxy responds a 407 message, including Set-Cookie headers.
HTTP/1.1 407 Proxy Authentication Required
Proxy-Authenticate: Basic realm=”auth"
Set-Cookie: SID=malicious; domain=.mail.google.com;
Actual results:
Firefox mistakenly accepts the malicious cookies.
Expected results:
Firefox should ignore such Set-Cookie headers.
This bug occurs in ./netwerk/protocol/http/nsHttpChannel.cpp, line 1244.
1225 if (mTransaction->ProxyConnectFailed()) {
1226 // Only allow 407 (authentication required) to continue
1227 if (httpStatus != 407)
1228 return ProcessFailedProxyConnect(httpStatus);
1229 // If proxy CONNECT response needs to complete, wait to process connection
1230 // for Strict-Transport-Security.
1231 } else {
1232 // Given a successful connection, process any STS data that's relevant.
1233 rv = ProcessSTSHeader();
1234 MOZ_ASSERT(NS_SUCCEEDED(rv), "ProcessSTSHeader failed, continuing load.");
1235 }
1236
1237 MOZ_ASSERT(!mCachedContentIsValid);
1238
1239 ProcessSSLInformation();
1240
1241 // notify "http-on-examine-response" observers
1242 gHttpHandler->OnExamineResponse(this);
1243
1244 SetCookie(mResponseHead->PeekHeader(nsHttp::Set_Cookie));
If the response dose not contain Proxy-Authenticate header, like this:
HTTP/1.1 407 Proxy Authentication Required
Set-Cookie: SID=malicious; domain=.mail.google.com;
The cookie will be injected silently (without authentication dialog).
Comment 2•10 years ago
|
||
Jason: who should get this bug?
Status: UNCONFIRMED → NEW
Component: Untriaged → Networking
Ever confirmed: true
Flags: needinfo?(jduell.mcbugs)
Keywords: sec-moderate
Product: Firefox → Core
Assignee | ||
Comment 3•10 years ago
|
||
great bug. thanks.
I'll patch this up - processAltSvc should be similarly restricted - like the logic that protects ProcessSecurityHeaders() except they need to continue to happen after OnExamineResponse.
Flags: needinfo?(jduell.mcbugs)
Assignee | ||
Comment 4•10 years ago
|
||
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → mcmanus
Status: NEW → ASSIGNED
Assignee | ||
Updated•10 years ago
|
Attachment #8524233 -
Flags: review?(valentin.gosu)
Comment 5•10 years ago
|
||
Comment on attachment 8524233 [details] [diff] [review]
proxy tweak
Looks good. Thanks!
Attachment #8524233 -
Flags: review?(valentin.gosu) → review+
Assignee | ||
Comment 6•10 years ago
|
||
Assignee | ||
Comment 7•10 years ago
|
||
https://wiki.mozilla.org/Security/Bug_Approval_Process says to go ahead and land sec-moderate - so i did!
Assignee | ||
Comment 8•10 years ago
|
||
Comment on attachment 8524233 [details] [diff] [review]
proxy tweak
Approval Request Comment
[Feature/regressing bug #]: Firefox 1.0 :)
[User impact if declined]: cookie injection attack against https sites (write only - which is a mitigation) with active network attacker.
[Describe test coverage new/current, TBPL]: new xpcshell tbpl coverage
[Risks and why]: modest - the gecko change is just a few lines, making old cookie behavior conditional
[String/UUID change made/needed]: none
Attachment #8524233 -
Flags: approval-mozilla-beta?
Attachment #8524233 -
Flags: approval-mozilla-aurora?
Target Milestone: --- → mozilla36
Comment 10•10 years ago
|
||
Comment on attachment 8524233 [details] [diff] [review]
proxy tweak
Seeing as we've shipped this forever, this is sec-moderate, and we're down to the last 34 Beta, I think we can wait a few more weeks. Let's consider this fix for 35. Beta-
Attachment #8524233 -
Flags: approval-mozilla-beta? → approval-mozilla-beta-
Comment 11•10 years ago
|
||
Should we take this on ESR?
Assignee | ||
Comment 12•10 years ago
|
||
Comment on attachment 8524233 [details] [diff] [review]
proxy tweak
yes - we should take it on esr. I overlooked that, thanks
[Approval Request Comment] -
If this is not a sec:{high,crit} bug, please state case for ESR consideration: see above
User impact if declined: see above
Fix Landed on Version:36
Risk to taking this patch (and alternatives if risky): see above
String or UUID changes made by this patch: none
See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Flags: needinfo?(mcmanus)
Attachment #8524233 -
Flags: approval-mozilla-esr31?
Comment 13•10 years ago
|
||
As I don't think we need to take this in 34, I suggest that we take the fix in Firefox 35 and ESR 31.4.
Comment 14•10 years ago
|
||
Comment on attachment 8524233 [details] [diff] [review]
proxy tweak
Approving for Aurora, ESR approval will have to wait until after we've got 31.3 esr underway.
Attachment #8524233 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 15•10 years ago
|
||
Assignee | ||
Updated•10 years ago
|
Updated•10 years ago
|
status-b2g-v1.4:
--- → wontfix
status-b2g-v2.0:
--- → affected
status-b2g-v2.0M:
--- → affected
status-b2g-v2.1:
--- → affected
status-b2g-v2.2:
--- → fixed
Updated•10 years ago
|
Attachment #8524233 -
Flags: approval-mozilla-esr31? → approval-mozilla-esr31+
Updated•10 years ago
|
Assignee | ||
Comment 16•10 years ago
|
||
Comment 17•10 years ago
|
||
sec-moderates generally aren't being taken for B2G v2.0 without good reason at this point, but can you please request b2g34 approval for v2.1 still?
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Flags: needinfo?(mcmanus)
Resolution: --- → FIXED
Assignee | ||
Comment 18•10 years ago
|
||
Comment on attachment 8524233 [details] [diff] [review]
proxy tweak
NOTE: Please see https://wiki.mozilla.org/Release_Management/B2G_Landing to better understand the B2G approval process and landings.
[Approval Request Comment]
see comments 17, 12, 8 for justifications on other branches.
Flags: needinfo?(mcmanus)
Attachment #8524233 -
Flags: approval-mozilla-b2g34?
Updated•10 years ago
|
Attachment #8524233 -
Flags: approval-mozilla-b2g34? → approval-mozilla-b2g34+
Comment 19•10 years ago
|
||
Flags: in-testsuite+
Updated•10 years ago
|
Whiteboard: [adv-main35+][adv-esr31.4+]
Updated•10 years ago
|
Alias: CVE-2014-8639
Comment 20•10 years ago
|
||
People are reporting that ff35 breaks setups using proxies for authentication (bug 1121895), and, based on having this in the release notes, suspect this broke it.
Assignee | ||
Comment 21•10 years ago
|
||
This can be opened based on
https://www.mozilla.org/de/security/advisories/mfsa2015-04/
Group: core-security
Comment 22•10 years ago
|
||
Patrick, please don't open bugs without checking with me and Dan. Once we release an advisory and fix for an issue, we generally wait at least six weeks to open the bug barring an immediate need.
Comment 23•10 years ago
|
||
Did the patch make it into the 2.1 release?
Flags: needinfo?(ryanvm)
Whiteboard: [adv-main35+][adv-esr31.4+] → [adv-main35+][adv-esr31.4+][b2g-adv-main2.2?]
Updated•10 years ago
|
Whiteboard: [adv-main35+][adv-esr31.4+][b2g-adv-main2.2?] → [adv-main35+][adv-esr31.4+][b2g-adv-main2.2-]
You need to log in
before you can comment on or make changes to this bug.
Description
•