Closed
Bug 1291802
Opened 8 years ago
Closed 8 years ago
PAC FindProxyForUrl function can be used to obtain full HTTPS URLs in combination with WPAD
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1255474
People
(Reporter: mozilla, Assigned: xeonchen)
Details
(Whiteboard: [necko-next])
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Build ID: 20160729072959 Steps to reproduce: Per http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-works-on-macs-windows-and-linux/ calling FindProxyForUrl in a malicious PAC, which can be delivered via WPAD on a network to which a malicious operator is connected, can be used to exfiltrate full HTTPS URLs that would otherwise be protected by encryption. Following Microsoft's approach with Edge and IE11, Firefox should truncate URLs to the host portion only before passing them to FindProxyForURL, at least in the case of HTTPS.
Comment 1•8 years ago
|
||
I am assigning a component to this issue in order to involve the development team and get an opinion on this.
Severity: normal → enhancement
Component: Untriaged → Networking
Product: Firefox → Core
Thanks. I've changed the severity away from 'enhancement' as this is a security risk, which I don't think warrants the lowest level of importance. There doesn't seem to be a way for me to flag the issue as security-related other than an option when I reported it, which would have marked this as private, which it isn't at this stage given it has already been reported in the tech press.
Severity: enhancement → normal
To be clear, the security issue is that this exposes data that should be protected by encryption, i.e. the path/query/fragment portions of HTTPS URLs.
Comment 4•8 years ago
|
||
I will marked this as necko-next. Gary, can you take a look?
Flags: needinfo?(xeonchen)
Updated•8 years ago
|
Whiteboard: [necko-next]
Assignee | ||
Comment 5•8 years ago
|
||
(In reply to Dragana Damjanovic [:dragana] from comment #4) > I will marked this as necko-next. > Gary, can you take a look? Sure, I'll check this later.
Assignee: nobody → xeonchen
Flags: needinfo?(xeonchen)
Assignee | ||
Comment 6•8 years ago
|
||
I think this is a duplicated bug of bug 1255474, which has security flag.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
It's a bit pointless for the active bug on this to be hidden from public view since this is a known issue with Firefox and already publicised. Is it possible to make the other bug visible so people can see what's going on with it?
Assignee | ||
Comment 8•8 years ago
|
||
(In reply to mozilla from comment #7) > It's a bit pointless for the active bug on this to be hidden from public > view since this is a known issue with Firefox and already publicised. Is it > possible to make the other bug visible so people can see what's going on > with it? I believe this is in progress :)
Comment 9•8 years ago
|
||
The bugfix was merged here: http://hg.mozilla.org/mozilla-central/log?rev=303393%3Adf6b25262c65
You need to log in
before you can comment on or make changes to this bug.
Description
•