News
Vigil@nce: HTTPS, information disclosure via a proxy
June 2009 by Vigil@nce
When an attacker can setup a proxy between the user and an HTTPS web server, he can obtain sensitive information.
Severity: 2/4
Consequences: data reading
Provenance: intranet server
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 5
Creation date: 18/06/2009
IMPACTED PRODUCTS
HTTPS
Microsoft Internet Explorer
Mozilla Firefox
Mozilla SeaMonkey
Mozilla Suite
Opera
DESCRIPTION OF THE VULNERABILITY
The HTTPS (HTTP+SSL) protocol is used to encrypt data between the client and the server. A proxy between the client and the server cannot obtain the content of exchanges. However, several alternate attack methods can be used by a malicious proxy to obtain information from the victim’s web browser.
When the proxy generates a 4xx or 5xx error page, the JavaScript code it contains is interpreted in the context of the requested HTTPS website. This JavaScript code can thus read the content of the HTTPS web site displayed in victim’s web browser. This vulnerability is corrected in IE 8, Firefox 3.0.10 and Opera 9.25. [grav:2/4; CVE-2009-2057, CVE-2009-2059]
The proxy can redirect pages containing JavaScript code to a malicious site. The malicious JavaScript code is then included in the HTTPS page and interpreted in its context. This vulnerability is corrected in Firefox 3.0.10 and Opera 9.25 (IE is not vulnerable). [grav:2/4; BID-35412, CVE-2009-2061, CVE-2009-2063]
When a website allows users to load the same page as HTTP or HTTPS, the proxy can use the HTTPS page in order to force the victim to enter in a SSL session, so a malicious JavaScript code can access to HTTPS data. This vulnerability is not corrected yet. [grav:2/4; CVE-2009-2064, CVE-2009-2065, CVE-2009-2067]
A malicious SSL proxy can first allow a SSL session in order to force the browser to keep the SSL certificate in its cache, and then return a malicious 4xx or 5XX error page. However, this error page is displayed with attributes of a secured page (lock, green/blue address bar). This vulnerability is corrected in IE 8 and Firefox 3.0.10 (Opera is not vulnerable). [grav:2/4; BID-35411, CVE-2009-2069, CVE-2009-2070]
When an HTTPS web site uses cookies without the "secured" flags, the proxy can use an HTTP session to obtain the cookie. This vulnerability will not be corrected in web browsers: it has to be corrected by web sites developers. [grav:2/4]
When an attacker owns or can setup a proxy between the user and an HTTPS web server, he can therefore obtain sensitive information.
CHARACTERISTICS
Identifiers: BID-35411, BID-35412, CVE-2009-2057, CVE-2009-2059, CVE-2009-2061, CVE-2009-2063, CVE-2009-2064, CVE-2009-2065, CVE-2009-2067, CVE-2009-2069, CVE-2009-2070, VIGILANCE-VUL-8806
http://vigilance.fr/vulnerability/HTTPS-information-disclosure-via-a-proxy-8806
