SSL tampering via non-200 responses to proxy CONNECT requests — Mozilla

2009-06-1100:00:00

Mozilla Foundation

www.mozilla.org

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS

0.011

Percentile

84.6%

JSON

Microsoft security researchers Shuo Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang reported that when a CONNECT request is sent to a proxy server and a non-200 response is returned, then the body of the response is incorrectly rendered within the context of the request Host: header. An active network attacker could use this vulnerability to intercept a CONNECT request and reply with a non-200 response containing malicious code which would be executed within the context of the victim’s requested SSL-protected domain. Since this attack requires the victim to have a proxy configured, the severity of this issue was determined to be high.

Affected configurations

Vulners

Node

mozillafirefoxRange<3.0.10

mozillaseamonkeyRange<1.1.17

mozillathunderbirdRange<2.0.0.22

VendorProductVersionCPE
mozillafirefox*cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*
mozillaseamonkey*cpe:2.3:a:mozilla:seamonkey:*:*:*:*:*:*:*:*
mozillathunderbird*cpe:2.3:a:mozilla:thunderbird:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
mozilla	firefox	*	cpe:2.3:a:mozilla:firefox::::::::
mozilla	seamonkey	*	cpe:2.3:a:mozilla:seamonkey::::::::
mozilla	thunderbird	*	cpe:2.3:a:mozilla:thunderbird::::::::