Mozilla Foundation Security Advisory 2009-27
SSL tampering via non-200 responses to proxy CONNECT requests
- Announced
- June 11, 2009
- Reporter
- Shuo Chen, Ziqing Mao, Yi-Min Wang, Ming Zhang
- Impact
- High
- Products
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- 
        - Firefox 3.0.10
- SeaMonkey 1.1.17
- Thunderbird 2.0.0.22
 
Description
Microsoft security researchers Shuo
Chen, Ziqing Mao, Yi-Min
Wang, and Ming Zhang reported that when a
CONNECT request is sent to a proxy server and a non-200 response is
returned, then the body of the response is incorrectly rendered
within the context of the request Host: header.  An
active network attacker could use this vulnerability to intercept a
CONNECT request and reply with a non-200 response containing malicious
code which would be executed within the context of the victim's
requested SSL-protected domain.  Since this attack requires the victim
to have a proxy configured, the severity of this issue was determined
to be high.
Thunderbird mail messages are not vulnerable to this flaw, but if Thunderbird were being used in a browser-like manner (through Add-ons, perhaps) and JavaScript were enabled (not the default settng) then users could be vulnerable to this flaw in older versions.