CVE-2005-0147 in Firefox
Summary
by MITRE
Firefox before 1.0 and Mozilla before 1.7.5, when configured to use a proxy, respond to 407 proxy auth requests from arbitrary servers, which allows remote attackers to steal NTLM or SPNEGO credentials.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 06/06/2019
This vulnerability exists in firefox versions prior to 1.0 and mozilla versions prior to 1.7.5 when configured to use a proxy server. The flaw occurs during the handling of HTTP 407 proxy authentication responses, where the affected browsers automatically respond to authentication requests from any remote server without proper validation. This behavior represents a critical security weakness that directly violates the principle of least privilege and proper authentication validation. The vulnerability is categorized under CWE-287 which deals with improper authentication, specifically focusing on the lack of proper validation of authentication requests. From an operational perspective, this vulnerability allows remote attackers to perform credential harvesting attacks by setting up malicious proxy servers that respond with 407 status codes. The attack vector is particularly dangerous because it leverages the trust relationship between browsers and proxy servers, enabling attackers to capture authentication credentials that would normally be protected by network-level security controls. When users connect through a proxy, their browsers automatically attempt to authenticate with the proxy server, and the vulnerable code path processes these authentication requests without verifying the legitimacy of the requesting server. This flaw directly maps to ATT&CK technique T1566.002 which covers credential access through phishing attacks, specifically targeting proxy authentication mechanisms. The vulnerability affects both NTLM and SPNEGO authentication protocols, making it particularly dangerous as these are widely used authentication mechanisms in enterprise environments. The technical implementation flaw stems from insufficient input validation and authentication request verification within the proxy handling code. When a 407 response is received, the browser does not properly validate that the requesting server is a legitimate proxy server that the user has configured, leading to automatic credential submission. This behavior creates a man-in-the-middle attack vector where attackers can intercept and harvest user credentials without requiring any special privileges or complex attack vectors. The impact is severe because users may unknowingly submit their authentication credentials to malicious servers, potentially compromising their access to corporate networks and sensitive resources. Organizations using these vulnerable versions of firefox or mozilla browsers are at significant risk of credential theft, particularly in environments where proxy authentication is required for network access. The vulnerability demonstrates a fundamental flaw in how browsers handle proxy authentication responses and highlights the importance of proper authentication request validation. Security controls should include network-level protections such as proxy server validation, monitoring for unusual proxy authentication requests, and user education about the risks of untrusted proxy configurations. The fix required involves implementing proper validation of proxy authentication requests to ensure that authentication responses are only processed for legitimate proxy servers that have been configured by the user. This vulnerability represents a classic case of insufficient authentication validation and underscores the critical importance of proper input validation in security-sensitive code paths. The flaw affects the integrity and confidentiality of user authentication data and represents a significant risk to enterprise security infrastructure where proxy authentication is commonly deployed. Organizations should immediately upgrade to patched versions of firefox and mozilla browsers to mitigate this vulnerability and prevent potential credential theft attacks that could compromise network access and user accounts.