
we track for your security since 1999

vulnerabilities

Vigil@nce team describes computer vulnerabilities impacting your systems, and offers solutions to correct them.

recent vulnerabilities

tracked products

RSS feed

vulnerability

vulnerability alert CVE-2009-1836 CVE-2009-2057 CVE-2009-2059

HTTPS: information disclosure via a proxy

Synthesis of the vulnerability

When an attacker can setup a proxy between the user and an HTTPS web server, he can obtain sensitive information.

Severity: 2/4.
Creation date: 18/06/2009.

Description of the vulnerability

The HTTPS (HTTP+SSL) protocol is used to encrypt data between the client and the server. A proxy between the client and the server cannot obtain the content of exchanges. However, several alternate attack methods can be used by a malicious proxy to obtain information from the victim's web browser.

When the proxy generates a 4xx or 5xx error page, the JavaScript code it contains is interpreted in the context of the requested HTTPS website. This JavaScript code can thus read the content of the HTTPS web site displayed in victim's web browser. This vulnerability is corrected in IE 8, Firefox 3.0.10 and Opera 9.25. [severity:2/4; CVE-2009-1836, CVE-2009-2057, CVE-2009-2059, >]

The proxy can redirect pages containing JavaScript code to a malicious site. The malicious JavaScript code is then included in the HTTPS page and interpreted in its context. This vulnerability is corrected in Firefox 3.0.10 and Opera 9.25 (IE is not vulnerable). [severity:2/4; BID-35412, CVE-2009-2061, CVE-2009-2063, >]

When a website allows users to load the same page as HTTP or HTTPS, the proxy can use the HTTPS page in order to force the victim to enter in a SSL session, so a malicious JavaScript code can access to HTTPS data. This vulnerability is not corrected yet. [severity:2/4; CVE-2009-2064, CVE-2009-2065, CVE-2009-2067, >]

A malicious SSL proxy can first allow a SSL session in order to force the browser to keep the SSL certificate in its cache, and then return a malicious 4xx or 5XX error page. However, this error page is displayed with attributes of a secured page (lock, green/blue address bar). This vulnerability is corrected in IE 8 and Firefox 3.0.10 (Opera is not vulnerable). [severity:2/4; BID-35411, CVE-2009-2069, CVE-2009-2070, >]

When an HTTPS web site uses cookies without the "secured" flags, the proxy can use an HTTP session to obtain the cookie. This vulnerability will not be corrected in web browsers: it has to be corrected by web sites developers. [severity:2/4; >]

When an attacker owns or can setup a proxy between the user and an HTTPS web server, he can therefore obtain sensitive information.

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: HTTPS: information disclosure via a proxy.
Keywords: 4xx 5XX 5xx Firefox HTTP HTTPS JavaScript Opera SSL disclosure information proxy.
Identifiers: BID-35411, BID-35412, CVE-2009-1836, CVE-2009-2057, CVE-2009-2059, CVE-2009-2061, CVE-2009-2063, CVE-2009-2064, CVE-2009-2065, CVE-2009-2067, CVE-2009-2069, CVE-2009-2070, SUSE-SR:2009:015, VIGILANCE-VUL-8806.
Pointed by: VIGILANCE-VUL-8792.

Information sources

Publications and announces
Source example: Pretty-Bad-Proxy: An Overlooked Adversary in Browsers' HTTPS Deployments

Solutions for this vulnerability

Patch or workaround

Supplements

Vulnerability : III-A : Embedding scripts in error responses

When the proxy generates a 4xx or 5xx error page, the JavaScript code it contains is interpreted in the context of the requested HTTPS website. This JavaScript code can thus read the content of the HTTPS web site displayed in victim's web browser. This vulnerability is corrected in IE 8, Firefox 3.0.10 and Opera 9.25.
Severity: 2/4.
Identifiers: CVE-2009-1836, CVE-2009-2057, CVE-2009-2059.

Vulnerability : III-B : Redirecting script requests to malicious HTTP websites

The proxy can redirect pages containing JavaScript code to a malicious site. The malicious JavaScript code is then included in the HTTPS page and interpreted in its context. This vulnerability is corrected in Firefox 3.0.10 and Opera 9.25 (IE is not vulnerable).
Severity: 2/4.
Identifiers: BID-35412, CVE-2009-2061, CVE-2009-2063.

Vulnerability : III-C : Importing scripts into HTTPS contexts through HPIHSL pages

When a website allows users to load the same page as HTTP or HTTPS, the proxy can use the HTTPS page in order to force the victim to enter in a SSL session, so a malicious JavaScript code can access to HTTPS data. This vulnerability is not corrected yet.
Severity: 2/4.
Identifiers: CVE-2009-2064, CVE-2009-2065, CVE-2009-2067.

Vulnerability : IV - A : Certifiying a proxy page with a real certificate

A malicious SSL proxy can first allow a SSL session in order to force the browser to keep the SSL certificate in its cache, and then return a malicious 4xx or 5XX error page. However, this error page is displayed with attributes of a secured page (lock, green/blue address bar). This vulnerability is corrected in IE 8 and Firefox 3.0.10 (Opera is not vulnerable).
Severity: 2/4.
Identifiers: BID-35411, CVE-2009-2069, CVE-2009-2070.

Vulnerability : IV - B : Stealing authentication cookies of HTTPS websites by faking HTTP requests

When an HTTPS web site uses cookies without the "secured" flags, the proxy can use an HTTP session to obtain the cookie. This vulnerability will not be corrected in web browsers: it has to be corrected by web sites developers.
Severity: 2/4.

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Computer vulnerabilities tracking service