Closed
Bug 1275879
Opened 9 years ago
Closed 9 years ago
MITM via Thunderbird autoconfig
Categories
(Thunderbird :: Security, defect)
Thunderbird
Security
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 971347
People
(Reporter: monolithed, Unassigned)
References
()
Details
(Keywords: 64bit, mail-integration, reporter-external, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
➜ curl -v curl -v http://autoconfig.******.com/mail/config-v1.1.xml
* Hostname was NOT found in DNS cache
* Trying 63.245.213.24...
* Connected to autoconfig.thunderbird.net (63.245.213.24) port 80 (#0)
......
➜ sudo tcpdump -s0 -X dst port 80
4:58:31.590707 IP msk-wire-macbook-pro-a.****** > ******com.http: Flags [P.], seq 0:355, ack 1, win 4104, options [nop,nop,TS val 1075928934 ecr 4243060845], length 355: HTTP: GET /mail/config-v1.1.xml?emailaddress=******@****** HTTP/1.1
0x0000: 0000 0c07 ac02 6003 0898 d8a2 0800 4500 ......`.......E.
0x0010: 0197 c4cf 4000 4006 0917 6460 a297 d945 ....@.@...d`...E
0x0020: 8b3d d2af 0050 8cf9 cc9d 64a6 bd1a 8018 .=...P....d.....
0x0030: 1008 d5ba 0000 0101 080a 4021 5f66 fce7 ..........@!_f..
0x0040: f86d 4745 5420 2f6d 6169 6c2f 636f 6e66 .mGET./mail/conf
0x0050: 6967 2d76 312e 312e 786d 6c3f 656d 6169 ig-v1.1.xml?emai
.....
It seems this place:
mailnews/base/prefs/content/accountcreation/fetchConfig.js
66 let url1 = "http://autoconfig." + sanitize.hostname(domain) +
67 "/mail/config-v1.1.xml";
68 // .well-known/ <http://tools.ietf.org/html/draft-nottingham-site-meta-04>
69 let url2 = "http://" + sanitize.hostname(domain) +
70 "/.well-known/autoconfig/mail/config-v1.1.xml";
........
it's possible to replace unsecured autoconfig file with fake and send user credentials to hacker server!
Flags: sec-bounty?
|
Reporter | |
Updated•9 years ago
|
Group: websites-security
Severity: normal → critical
Component: Other → Security
Keywords: mail-integration,
sec-incident
Product: Websites → Thunderbird
|
|
Reporter | |
Updated•9 years ago
|
Group: mail-core-security
|
||
Comment 1•9 years ago
|
||
Duplicate of bug 971347?
|
|
Reporter | |
Comment 2•9 years ago
|
||
Yep, thanks! This issue can be closed.
Flags: needinfo?(mkmelin+mozilla)
|
|
||
Updated•9 years ago
|
Group: mail-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: sec-bounty?
Flags: needinfo?(mkmelin+mozilla)
Resolution: --- → DUPLICATE
|
||
Updated•7 years ago
|
Keywords: sec-incident → 64bit
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•