form submit bypasses change of security realm



14 years ago
14 years ago


(Reporter: boinka, Assigned: dveditz)


Firefox Tracking Flags

(Not tracked)




14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1

Mozilla, new install, new profile, Win XP SP1, reproducible,
saved passwords used or not.

Using protocol https, self-signed low-grade 40-bit certs from Oracle 9iAS 9.0.3
(uses Apache webserver).

We have a website that has several different security realms. When a user moves
from one realm to another via link or URL pasting, the browser (Mozilla or
Firefox) challenges user for credentials. However, when a user moves from one
realm to another via form submit button (either GET or POST), they are not
challenged, and the page in the new realm downloads and displays (without
authorization as far as I can tell). I don't know if Mozilla tries existing
domain credentials automatically for form submits or what, but this does not
*seem* like correct standards-based behavior. A user should be challenged at
each new realm no matter how they get there.

Reproducible: Always

Steps to Reproduce:
1. create a website with two pages, each in a different security realm
2. 1st page should have form action pointing to 2nd page (absolute action URL in
this case)
3. GET 1st page - you will be challenged for 1st realm credentials
4. submit form to GET or POST 2nd page - you will get the 2nd page with no challenge

Actual Results:  
Saw form results page without being challenged for credentials.

Expected Results:  
Challenged user for credentials when changing realms, no matter how the new
realm is reached.


14 years ago
Flags: blocking1.7.7?


14 years ago
Blocks: 289187
Do you have a testcase?

Comment 2

14 years ago
(In reply to comment #1)
> Do you have a testcase?


Unfortunately, the test case is an intranet company data system which cannot be
seen on the open internet. I tried to describe how the system is setup in my
original post. If you setup an Apache server with two pages, each in their own
realm, one of which has a form with an action of the other page (absolute or
relative URL) and a submit button, you should see the behavior if the user is
allowed in both groups.

I might be able to pare down the Apache config files to the security and user
sections for you to use as an example, but you would have to set yours up
manually anyway because of your local directory structure and the password file.

Let me know if you'd like this, or have specific questions.

P.S. - Another thought I had is that the pages in question are generated by the
Oracle database through their mod_plsql plugin to Apache. I'm going to try some
tests today on flat-file pages to see if there is something weird going on with
the Oracle plugin, or if it's a general case with realms. You may or may not
want to hold off until I can give you results.

-Rich S.

Comment 3

14 years ago
Well, apparently this is the "intended" behavior. Mozilla, Firefox, and the
dreaded IE all try existing domain credentials on a new realm before prompting a
user for new credentials. However, I can find no concrete definition in any
standards regarding this behavior. Is it a standard, or is it the de-facto way
of doing things? If one of ya'all knows where this is specifically spelled out,
I'd sure like to read it...

In any case, ya'all can whack this "bug" report...

Sorry for wasting your time.

-Rich S.
As I see it there are three things that could be going on:

 1. The browser has been told the different passwords (e.g. by logging in to 
    those realms earlier in the session) and when switching realms during form 
    submission, the UA is simply reusing the passwords it was given. That would 
    be correct behaviour (we should automatically include authentication
    information when submitting to URIs we know are in a particular realm, and 
    should be automatically sending authentication information to sites that we 
    believe could be in a particular realm). Note that we don't get told the
    realm unless we fail to send authentication information or send the wrong
    outhentication details.

 2. The browser has been told one password, that of the first realm, and the 
    server is accepting it as the password of the second realm. Since the UA
    doesn't send the realm information, and the server doesn't send realm info
    unless the login failed, neither the server nor the browser know that they
    think they are in different realms.

 3. The browser doesn't send any authentication information, and the server
    isn't complaining, maybe because it's a POST. The browser doesn't get told
    there's a new realm, and so doesn't know anything is wrong.

I don't see how the UA, the browser, could in any way bypass the security checks
on the server. That's the server's responsibility.

[I propose we open this bug and ask for someone in the community to set up a
testcase for this.]
Sorry, didn't see your last comment before submitting mine.

Yes, I believe this behaviour is spelt out in the relevant HTTP and HTTP auth
specs, but I don't have the reference with my right now.

[Opening bug and marking invalid per reporter.]
Group: security
Last Resolved: 14 years ago
Resolution: --- → INVALID


14 years ago
Flags: blocking1.7.7?
You need to log in before you can comment on or make changes to this bug.