Mozilla has fixed a bug in the way that its Bugzilla Web site and others handled certain errors, which could have been exploited to execute a man-in-the-middle attack against an unsuspecting user.
The bug was related to the way that the sites responded to certain requests from client machines when the clients specify an incorrect HTTP host header. The Bugzilla site holds a wild card SSL certificate that also is valid on Mozilla.org, and as a result when the sites respond to the request with the incorrect header, clients can be redirected to a non-HTTPS site for an error message.
“As a result, a network attacker can divert a client connection bound for any *.mozilla.org site to one of these servers and cause the client to receive an incorrect redirect. This is already a breach of the integrity that SSL is supposed to provide. But what is worse, since the redirect is to http://, the attacker can substitute arbitrary content and thereby perform XSS,” Matt McCutchen wrote in an explanation of the certificate problem on Bugzilla.
Here is the attack scenario that McCutchen described:
1. User navigates to https://bugzilla.mozilla.org/ .
2. Client connects to bugzilla.mozilla.org:443 to retrieve the HTML page;
attacker lets it through.
3. Client opens additional connections to bugzilla.mozilla.org:443 to request
embedded scripts. Attacker diverts them to www.mozilla.org:443. The
www.mozilla.org server responds with redirects to http://www.mozilla.com/ .
4. Client follows the redirect and fetches http://www.mozilla.com/ . Attacker
substitutes a malicious script. Client executes it in the
McCutchen posted to Bugzilla about the bug in October and Mozilla has fixed it by changing the way that the servers handle those requests.
“I have reviewed the issue and confirmed your concern. Defenses are in place to redirect requests that contain host headers that do not match the domain of the URL. However, as you’ve pointed out, this sometimes results in redirects to HTTP pages which could be intercepted by an attacker and modified with malicious content,” Mozilla’s Michael Coates wrote.