User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.5 Safari/534.30 Steps to reproduce: Vulnerability description A vulnerability in the way SSL and TLS protocols allow renegotiation requests may allow an attacker to inject plaintext into an application protocol stream. This could result in a situation where the attacker may be able to issue commands to the server that appear to be coming from a legitimate source. This issue affects SSL version 3.0 and newer and TLS version 1.0 and newer. Affected items: account.services.mozilla.com Actual results: A remote, unauthenticated attacker may be able to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream. This could allow and attacker to issue HTTP requests, or take action impersonating the user, among other consequences. Expected results: Care should be taken that they will be patched Thank you
The only thing https://www.ssllabs.com/ssltest/analyze.html?d=account.services.mozilla.com&hideResults=on says is that client-initiated renegotiation is enabled, which can be used for DoS (https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks).
I'm not sure what the exact attack is. I believe this deals with CVE-2009-3555. So an attacker can prefix some chose bytes to the communication, though only during the renegotiation. There isn't anything interesting that the attacker could do without the user being authenticated.
But the issue exists sir and Will this issue come under bounty program? Thank you
No problem, both have been rewarded by Facebook. Mozilla is not a serious company, report bugs for Google Chrome. :)
It is none of your business firstname.lastname@example.org
Duplicate! someone got added to this list and what is update of this vulnerability REED. Thanks
Comment 0 seems to be describing _insecure_ renegotiation, but provides no evidence that our server suffers from it. The SSLLabs report says we don't, and we certainly know about the problem (we had to pester the providers of our load-balancing hardware to support the Renegotiation extension). The renegotiation attacks weren't all that hard to demonstrate (see the one used against Twitter in 2009), have you actually been able to inject prefix data?
absent a response to comment 11 this looks invalid as per https://www.ssllabs.com/ssltest/analyze.html?d=account.services.mozilla.com (we're aware of the secure negotiation DOS potential, but that would not qualify for a web bug bounty.)