Actu
Vigil@nce: HTTPS, information disclosure via a proxy
June 2009 by Vigil@nce
When an attacker can setup a proxy between the user and an HTTPS web server, he can obtain sensitive information.
Severity: 2/4
Consequences: data reading
Provenance: intranet server
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 5
Creation date: 18/06/2009
IMPACTED PRODUCTS
– HTTPS
– Microsoft Internet Explorer
– Mozilla Firefox
– Mozilla SeaMonkey
– Mozilla Suite
– Opera
DESCRIPTION OF THE VULNERABILITY
The HTTPS (HTTP+SSL) protocol is used to encrypt data between the
client and the server. A proxy between the client and the server
cannot obtain the content of exchanges. However, several alternate
attack methods can be used by a malicious proxy to obtain
information from the victim’s web browser.
When the proxy generates a 4xx or 5xx error page, the JavaScript
code it contains is interpreted in the context of the requested
HTTPS website. This JavaScript code can thus read the content of
the HTTPS web site displayed in victim’s web browser. This
vulnerability is corrected in IE 8, Firefox 3.0.10 and Opera 9.25.
[grav:2/4; CVE-2009-2057, CVE-2009-2059]
The proxy can redirect pages containing JavaScript code to a
malicious site. The malicious JavaScript code is then included in
the HTTPS page and interpreted in its context. This vulnerability
is corrected in Firefox 3.0.10 and Opera 9.25 (IE is not
vulnerable). [grav:2/4; BID-35412, CVE-2009-2061, CVE-2009-2063]
When a website allows users to load the same page as HTTP or
HTTPS, the proxy can use the HTTPS page in order to force the
victim to enter in a SSL session, so a malicious JavaScript code
can access to HTTPS data. This vulnerability is not corrected yet.
[grav:2/4; CVE-2009-2064, CVE-2009-2065, CVE-2009-2067]
A malicious SSL proxy can first allow a SSL session in order to
force the browser to keep the SSL certificate in its cache, and
then return a malicious 4xx or 5XX error page. However, this error
page is displayed with attributes of a secured page (lock,
green/blue address bar). This vulnerability is corrected in IE 8
and Firefox 3.0.10 (Opera is not vulnerable). [grav:2/4;
BID-35411, CVE-2009-2069, CVE-2009-2070]
When an HTTPS web site uses cookies without the "secured" flags,
the proxy can use an HTTP session to obtain the cookie. This
vulnerability will not be corrected in web browsers: it has to be
corrected by web sites developers. [grav:2/4]
When an attacker owns or can setup a proxy between the user and an
HTTPS web server, he can therefore obtain sensitive information.
CHARACTERISTICS
Identifiers: BID-35411, BID-35412, CVE-2009-2057, CVE-2009-2059,
CVE-2009-2061, CVE-2009-2063, CVE-2009-2064, CVE-2009-2065,
CVE-2009-2067, CVE-2009-2069, CVE-2009-2070, VIGILANCE-VUL-8806
http://vigilance.fr/vulnerability/HTTPS-information-disclosure-via-a-proxy-8806
