Endpoint Vulnerability

Cookie injection through Proxy Authenticate responses

Description

Security researcher Xiaofeng Zheng of the Blue Lotus Team at Tsinghua University reported reported that a Web Proxy returning a 407 Proxy Authentication response with a Set-Cookie header could inject cookies into the originally requested domain. This could be used for session-fixation attacks. This attack only allows cookies to be written but does not allow them to be read.

Affected Products

Firefox,Firefox ESR

References

CVE-2014-8639,