Vulnerability CVE-2008-0367 - CERT Civis.Net

Vulnerability Name:

CVE-2008-0367 (CCN-39371)

Assigned:

2008-01-02

Published:

2008-01-02

Updated:

2018-10-26

Summary:

Mozilla Firefox 2.0.0.11, 3.0b2, and possibly earlier versions, when prompting for HTTP Basic Authentication, displays the site requesting the authentication after the Realm text, which might make it easier for remote HTTP servers to conduct phishing and spoofing attacks.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)
4.2 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:POC/RL:U/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Bypass Security

References:

Source: CCN
Type: Aviv Raff On .NET Web site
Yet another Dialog Spoofing - Firefox Basic Authentication

Source: MISC
Type: Third Party Advisory
http://aviv.raffon.net/2008/01/02/YetAnotherDialogSpoofingFirefoxBasicAuthentication.aspx

Source: MISC
Type: Third Party Advisory
http://aviv.raffon.net/2008/01/05/FirefoxDialogSpoofingFAQ.aspx

Source: CONFIRM
Type: Vendor Advisory
http://blog.mozilla.com/security/2008/01/04/basicauth-dialog-realm-value-spoofing/

Source: MITRE
Type: CNA
CVE-2008-0367

Source: CCN
Type: Mozilla Web site
Firefox web browser & Thunderbird email client

Source: CCN
Type: OSVDB ID: 43258
Mozilla Firefox Basic Authentication Realm Text Display Weakness

Source: BUGTRAQ
Type: Third Party Advisory, VDB Entry
20080103 Yet another Dialog Spoofing Vulnerability - Firefox Basic Authentication

Source: BUGTRAQ
Type: Third Party Advisory, VDB Entry
20080103 Re: [Full-disclosure] Yet another Dialog Spoofing Vulnerability - Firefox Basic Authentication

Source: BID
Type: Third Party Advisory, VDB Entry
27111

Source: CCN
Type: BID-27111
Mozilla Firefox 'Basic Realm' Basic Authentication Header Spoofing Vulnerability

Source: CONFIRM
Type: Issue Tracking, Vendor Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=244273

Source: XF
Type: UNKNOWN
firefox-wwwauthenticate-header-spoofing(39371)

Vulnerable Configuration:

Configuration 1:

cpe:/a:mozilla:firefox:*:*:*:*:*:*:*:* (Version <= 2.0.0.11)

OR cpe:/a:mozilla:firefox:3.0:beta2:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:mozilla:firefox:2.0:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:2.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:2.0.0.2:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:2.0.0.3:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:2.0.0.4:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:2.0.0.5:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:2.0.0.6:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:2.0.0.9:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:2.0.0.7:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:2.0.0.8:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:2.0.0.11:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:2.0.0.10:*:*:*:*:*:*:*

OR cpe:/a:mozilla:firefox:3.0:beta2:*:*:*:*:*:*

Denotes that component is vulnerable