Your submission was sent successfully! Close

CVE-2009-2061

Published: 15 June 2009

Mozilla Firefox before 3.0.10 processes a 3xx HTTP CONNECT response before a successful SSL handshake, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying this CONNECT response to specify a 302 redirect to an arbitrary https web site.

Priority

Low

Status

Package Release Status
firefox
Launchpad, Ubuntu, Debian
Upstream Needs triage

kde4libs
Launchpad, Ubuntu, Debian
Upstream Needs triage

kdelibs
Launchpad, Ubuntu, Debian
Upstream Needs triage

qt4-x11
Launchpad, Ubuntu, Debian
Upstream Needs triage

seamonkey
Launchpad, Ubuntu, Debian
Upstream Needs triage

webkit
Launchpad, Ubuntu, Debian
Upstream Needs triage

xulrunner-1.9
Launchpad, Ubuntu, Debian
Upstream
Released (1.9.0.11)
xulrunner-1.9.1
Launchpad, Ubuntu, Debian
Upstream
Released (1.9.1rc2)

Notes

AuthorNote
jdstrand
https://www.paypal.com/ is the PoC site, but https://wiki.ubuntu.com
seems to be a valid trigger as well (both set a cookie which is sent on
connect). https://www.verisign.com will trigger the alert() in the PoC, but
doesn't contain the cookie
firefox-3.0 (3.0.9) is confirmed to be affected
mozilla is silently fixing this in 3.0.10, but it won't be public
until the CRD
konqueror 3 (kdelibs) in dapper is confirmed to be affected
konqueror 4 (kde4libs) in jaunty does not seem to be affected
(displays it's own connection refused message for all 4xx codes)
webkit on jaunty does not seem affected, though all of its consumers
are rather flaky (midori, python-webkit/webbrowser.py, webkit/GtkLauncher,
kazehakase-webkit). None of these would work with paypal or wiki.u.c, but
would with https://www.verisign.com/. At verisign, firefox would display
the PoC alert, but without the cookie. webkit, midori and python-webkit would
not display the alert at all (kazehakase crashes on any page load). Other
consumers are devhelp and anjuta, but I didn't see how to get an external
page to load. At any rate, webkit is a tentative 'not-affected'. Will get
more feedback from Debian maintainer.
qt4-x11 in jaunty does not seem to be affected. arora is its
browser consumer and it displays its own 'HTTP request failed' message for
all 4xx codes
also checked epiphany-webkit on 8.10. The browser can go to paypal,
but is not vulnerable (does not display the alert at all for all 4xx codes)

References

Bugs