1364463 – CVE-2005-2395: Firefox uses Basic auth when it shouldn't

Bug 1364463 - CVE-2005-2395: Firefox uses Basic auth when it shouldn't

Summary: CVE-2005-2395: Firefox uses Basic auth when it shouldn't

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firefox
Sub Component:
Version:	24
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jan Horak
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2005-2395
TreeView+	depends on / blocked

Reported:	2016-08-05 12:03 UTC by David Woodhouse
Modified:	2016-08-19 09:51 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2016-08-19 09:51:32 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Mozilla Foundation	281851	0	None	None	None	2016-08-05 12:03:56 UTC

Description David Woodhouse 2016-08-05 12:03:56 UTC

Firefox uses the first auth method offered by the server in its headers, while RFC2617 says that it MUST use the strongest one.

This is causing users to see password prompts, and potentally send passwords over the wire in plain-text, when they should be using GSSAPI or NTLM authentication which would work with single-sign-on.

Comment 1 Jan Horak 2016-08-19 09:51:32 UTC

Thanks for letting us know. We're going to track it on upstream. Fixing this is beyond simple change in source code, so it will have to go through Mozilla review process anyway.

I've added myself to the CC list on mozbz.

Note You need to log in before you can comment on or make changes to this bug.