Today's release of Firefox 19.0 fixes an
interesting bug that I reported to the vendor back in October 2012. In essence, an attacker on an untrusted network could first coerce the browser to use a rogue HTTP proxy (this can be done by leveraging the
WPAD protocol); wait until the browser attempts to download a HTTPS document from an interesting site through said proxy; and then selectively respond to the appropriate
CONNECT request with a plain-text message such as this:
<![CDATA[<br />HTTP/1.0 407 Boink<br />Proxy-Authenticate: basic<br />Connection: close<br />Content-Type: text/html<br /><br /><html><br /><h1>Hi, mom!</h1><br /><script>alert(location.href)</script><br /><br />[...additional padding follows...]<br />]]>The browser would show the user a cryptic authentication prompt - but hitting ESC or pressing cancel would inevitably result in the proxy-supplied plain-text document being rendered in the same-origin context of the requested HTTPS site. There goes the transport security - so I guess that's an oops?:-)
0 nhận xét:
Đăng nhận xét