CVE-2017-5384

Information disclosure via Proxy Auto-Config (PAC)

Publish date

July 2016

Identifier

CVE-2017-5384

Manufacturer

Mozilla

Product

Firefox

Patched

https://bugzilla.mozilla.org/show_bug.cgi?id=1255474

Authors

Paul Stone, Alex Chapman

Description

Malicious Proxy Auto-Config (PAC) files allow for the disclosure of SSL/TLS encrypted HTTPS request URLs (including full paths and query strings) from Firefox. The PAC file specifies a Javascript function, FindProxyForURL(url, host), which is called for each URL request in order to determine the required proxy for the connection. This function receives the full URL and hostname for both HTTP and HTTPS requests, which can be leaked by a malicious PAC script. This could expose credentials, tokens, search terms or any other data passed in HTTPS URL query strings to internet based attackers that would otherwise be encrypted. This issue does not affect the default configuration of Firefox.

https://bugzilla.mozilla.org/show_bug.cgi?id=1255474

 

CREST
CREST STAR
CHECK IT Health Check Service
CBEST
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor
NCSC CCSC - Assured Service Provider