You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.

Skip to main content

You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.5.0.4) > MFSA 2006-33

Mozilla Foundation Security Advisory 2006-33

Title: HTTP response smuggling
Impact: High
Date: June 1, 2006
Reporter: Kazuho Oku (Cybozu Labs)
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 1.5.0.4
  Thunderbird 1.5.0.4
  SeaMonkey 1.0.2

Description

Kazuho Oku of Cybozu Labs reports via the Information-technology Promotion Agency, Japan, that Firefox is vulnerable to HTTP response smuggling when used with certain proxy servers.

The first technique takes advantage of Mozilla's lenient handling of HTTP header syntax which was necessary in the past to cope with various real-world servers. One aspect was to accept HTTP headers with space characters between the header name and the colon. A modern proxy with strict syntax checking would ignore these as invalid headers while Mozilla clients might accept them and interpret one long response as two shorter responses. If a page on the malicious host can make Firefox issue two requests in succession, one to the malicious host and one to the victim site, the second part of the response from the malicious site could be interpreted as the response from the victim site. The content of that response could be a web page that could steal login cookies or other sensitive data if the user has an account at the victim site.

A second variant accomplishes the same thing by sending HTTP 1.1 headers through an HTTP 1.0 proxy such as the popular Squid. The proxy will ignore the unknown 1.1 header (such as "Transfer-Encoding: chunked") while Mozilla-based clients will accept them and again can be made to interpret one long request as two shorter ones.

If the user is not browsing through a proxy the same attacks can still be mounted but would be effective only if the malicious site were at the same IP address as the victim site.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Thunderbird users are extremely unlikely to have logged into a website using their mail client further reducing the risk from this vulnerability.

Workaround

Upgrade to a fixed version.

References