Mozilla has fixed a bug in the way that its Bugzilla Web site and others handled certain errors, which could have been exploited to execute a man-in-the-middle attack against an unsuspecting user.
The bug was related to the way that the sites responded to certain requests from client machines when the clients specify an incorrect HTTP host header. The Bugzilla site holds a wild card SSL certificate that also is valid on Mozilla.org, and as a result when the sites respond to the request with the incorrect header, clients can be redirected to a non-HTTPS site for an error message.
“As a result, a network attacker can divert a client connection bound for any *.mozilla.org site to one of these servers and cause the client to receive an incorrect redirect. This is already a breach of the integrity that SSL is supposed to provide. But what is worse, since the redirect is to http://, the attacker can substitute arbitrary content and thereby perform XSS,” Matt McCutchen wrote in an explanation of the certificate problem on Bugzilla.
Here is the attack scenario that McCutchen described:
1. User navigates to https://bugzilla.mozilla.org/ .
2. Client connects to bugzilla.mozilla.org:443 to retrieve the HTML page;
attacker lets it through.
3. Client opens additional connections to bugzilla.mozilla.org:443 to request
embedded scripts. Attacker diverts them to www.mozilla.org:443. The
www.mozilla.org server responds with redirects to http://www.mozilla.com/ .
4. Client follows the redirect and fetches http://www.mozilla.com/ . Attacker
substitutes a malicious script. Client executes it in the
https://bugzilla.mozilla.org/ origin.
McCutchen posted to Bugzilla about the bug in October and Mozilla has fixed it by changing the way that the servers handle those requests.
“I have reviewed the issue and confirmed your concern. Defenses are in place to redirect requests that contain host headers that do not match the domain of the URL. However, as you’ve pointed out, this sometimes results in redirects to HTTP pages which could be intercepted by an attacker and modified with malicious content,” Mozilla’s Michael Coates wrote.
“As you mentioned, an attacker could use a dns rebinding style attack to cause this header mismatch on a request for JavaScript made by the primary page. In this situation the attacker would wait for the auto redirect to http://www.mozilla.org and then inject content in the clear text response. This would ultimately infect the users https connection with the original site.”