A security weakness has been discovered in Mozilla's Authentication process, where instead of using the strongest authentication scheme from a list of available schemes, Mozilla would prefer the first one listed.
Vulnerable Systems:
* Mozilla 1.7.11 (Windows version tested)
* FireFox 1.0.6 (Windows version tested)
Firefox and Mozilla browser have vulnerability in authentication mechanism implementation. Potential impact of this vulnerability is weak authentication protocol (for example cleartext) may be chosen for Web site authentication instead of stronger one.
From RFC 2617:
The user agent MUST choose to use one of the challenges with the strongest auth-scheme it understands and request credentials from the user based upon that challenge.
Instead, Mozilla uses authentication schemes in the order of WWW-Authenticate headers sent by Web server. It may lead to situation weak authentication (for example cleartext "Basic" authentication) may be chosen by Mozilla while both server and Mozilla support stronger authentication mechanism.
With this link you can check which protocol was chosen by browser, if server support few authentication protocols: http://www.security.nnov.ru/files/atest/all.asp
For Mozilla/Firefox "Basic" authentication with cleartext login/password transmitted over the wire will be chosen by default. By pressing "Cancel" you can choose different authentication.
