foundation-security-advisories/announce/2009/mfsa2009-27.md

1.5 KiB

announced fixed_in impact reporter title
June 11, 2009
Firefox 3.0.10
Thunderbird 2.0.0.22
SeaMonkey 1.1.17
High Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang SSL tampering via non-200 responses to proxy CONNECT requests

Description

Microsoft security researchers Shuo Chen, Ziqing Mao, Yi-Min Wang, and Ming Zhang reported that when a CONNECT request is sent to a proxy server and a non-200 response is returned, then the body of the response is incorrectly rendered within the context of the request Host: header. An active network attacker could use this vulnerability to intercept a CONNECT request and reply with a non-200 response containing malicious code which would be executed within the context of the victim's requested SSL-protected domain. Since this attack requires the victim to have a proxy configured, the severity of this issue was determined to be high.

Thunderbird mail messages are not vulnerable to this flaw, but if Thunderbird were being used in a browser-like manner (through Add-ons, perhaps) and JavaScript were enabled (not the default settng) then users could be vulnerable to this flaw in older versions.

References