303672 - XmlHttp can be tricked into requested pages from other servers if a 'transparent' proxy exists

Status: RESOLVED DUPLICATE of bug 302263

(SeaMonkey :: Security, defect)

Description

[Stephen White]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

If web requests from a client computer are forced through a 'transparent' proxy
then it is possible to trick mozilla's XmlHttp component to request pages from
any server via the inclusion of a 'Host' header in the request.  Such proxies
are not uncommon, and it appears that this exploit does not depend on the
particular proxy employed (I have tested it with both the Squid based proxy in
IpCop and NTL's proxy, which I think is a NetApp NetCache appliance).

If the 'Host' header exists the proxies appear to use this in preference to the
IP address that is the real destination of the request.  It could be argued that
this is a bug in the web proxy in question, but I think the browser should
attempt to make it harder to exploit this issue.  I have been unable to carry
out the exploit under IE6 on Windows XP SP2 with all updates applied, though I
have managed older IE6 installs - so it looks like this may be something that
Microsoft have already addressed.  I have not yet investigated the impact of
this on Java (rather than JavaScript) code, as Java applets are also allowed to
make web requests - though with the same limitation that they should only be
made to the server from which the applet came.

Reproducible: Always

Steps to Reproduce:
1. Find a computer behind a transparent web proxy.  Many ISPs (such as NTL in
the UK) force requests though a web proxy.  IpCop can be configured to force all
requests from machines on the local network through its web proxy.
2. Go to http://trillian.randomstuff.org.uk/~stephen/badxmlhttp.html

Actual Results:  
The javascript will sucessfully request the contents of the 'news.bbc.co.uk'
site, which is not something JavaScript could be allowed to do.  There are many
potential privacy, phishing, cross site scripting and related exploits that I
think could be made easier or possible through such an ability.

Expected Results:  
Either reported a security error or ignored the request to add a 'Host' header
to the web request.

Tested under Firefox 1.0.6 on Windows and Linux, plus a few previous versions of
Firefox and of the Mozilla application suite.

Comment 1

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

In a trunk build I get:

Error: uncaught exception: [Exception... "Component returned failure code:
0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsIXMLHttpRequest.setRequestHeader]" 
nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame ::
http://trillian.randomstuff.org.uk/~stephen/badxmlhttp.html :: <TOP_LEVEL> ::
line 25"  data: no]

Comment 2

[Christian :Biesinger (don't email me, ping me on IRC)]

*** This bug has been marked as a duplicate of 302263 ***