Mozilla Foundation Security Advisory 2006-33

HTTP response smuggling

Announced
June 1, 2006
Reporter
Kazuho Oku (Cybozu Labs)
Impact
High
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 1.5.0.4
  • SeaMonkey 1.0.2
  • Thunderbird 1.5.0.4

Description

Kazuho Oku of Cybozu Labs reports via the Information-technology Promotion Agency, Japan, that Firefox is vulnerable to HTTP response smuggling when used with certain proxy servers.

The first technique takes advantage of Mozilla's lenient handling of HTTP header syntax which was necessary in the past to cope with various real-world servers. One aspect was to accept HTTP headers with space characters between the header name and the colon. A modern proxy with strict syntax checking would ignore these as invalid headers while Mozilla clients might accept them and interpret one long response as two shorter responses. If a page on the malicious host can make Firefox issue two requests in succession, one to the malicious host and one to the victim site, the second part of the response from the malicious site could be interpreted as the response from the victim site. The content of that response could be a web page that could steal login cookies or other sensitive data if the user has an account at the victim site.

A second variant accomplishes the same thing by sending HTTP 1.1 headers through an HTTP 1.0 proxy such as the popular Squid. The proxy will ignore the unknown 1.1 header (such as "Transfer-Encoding: chunked") while Mozilla-based clients will accept them and again can be made to interpret one long request as two shorter ones.

If the user is not browsing through a proxy the same attacks can still be mounted but would be effective only if the malicious site were at the same IP address as the victim site.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Thunderbird users are extremely unlikely to have logged into a website using their mail client further reducing the risk from this vulnerability.

Workaround

Upgrade to a fixed version.

References