Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

cannot log in to website (Error Message); transaction.cityofmerced.org.potentially vulnerable CVE-2009-3555

  • 2 replies
  • 0 have this problem
  • 7 views
  • Last reply by cor-el

more options

NEW Login Problem when attempting to pay Utility bill as I've normally done


The WEB site page then displays message: We apologize, the system is temporarily down.

Please report the following to the System Administrator: java.lang.Exception: This website does not currently support your web browser. You can view this site in Internet Explorer or FireFox


My FireFox error console on browser displays = "transactions.cityofmerced.org:potentially.vulnerable.CVE-2009-3555"


Jave search yields the following


Cyber Risk Report March 29–April 4, 2010

Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability

IntelliShield Vulnerability Alert 19361, Version 43, April 1, 2010 Urgency/Credibility/Severity Rating: 2/5/3 CVE-2009-3555

Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability. http://www.cisco.com/web/about/security/intelligence/CRR_mar29-apr4.html


Will FireFox browser updates address this security problem???

URL of affected sites

http://transactions.cityofmerced.org/Click2GovCX/Index.jsp

User Agent

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefo796804586903 887809903

NEW Login Problem when attempting to pay Utility bill as I've normally done -------------------------------------- The WEB site page then displays message: We apologize, the system is temporarily down. Please report the following to the System Administrator: java.lang.Exception: This website does not currently support your web browser. You can view this site in Internet Explorer or FireFox --------------------- My FireFox error console on browser displays = "transactions.cityofmerced.org:potentially.vulnerable.CVE-2009-3555" --------------------- Jave search yields the following --------------------- Cyber Risk Report March 29–April 4, 2010 Transport Layer Security Renegotiation Remote Man-in-the-Middle Attack Vulnerability IntelliShield Vulnerability Alert 19361, Version 43, April 1, 2010 Urgency/Credibility/Severity Rating: 2/5/3 CVE-2009-3555 Multiple TLS implementations contain a vulnerability when renegotiating a Transport Layer Security (TLS) session that could allow an unauthenticated, remote attacker to conduct a man-in-the-middle attack. Proof-of-concept code that exploits this vulnerability is publicly available. Mozilla and Oracle, in addition to other vendors, have released updates for this vulnerability. http://www.cisco.com/web/about/security/intelligence/CRR_mar29-apr4.html --------------------------------------------------- Will FireFox browser updates address this security problem??? == URL of affected sites == http://transactions.cityofmerced.org/Click2GovCX/Index.jsp == User Agent == Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefo796804586903 887809903

All Replies (2)

more options

That message is meant for webmasters to make them aware that they need to fix their servers. Firefox 3.6 versions can detect such a misconfiguration and displays a warning in the "Tools > Error Console".

See https://wiki.mozilla.org/Security:Renegotiation

more options

Thanks cor-el, I sent your answer on to the Webmaster.

I.E. still allows the negotiation of the (TLS) session and I mistook it to mean Firefox had fallen behind and was being refused access by the site.

You're saying because the Browser can detect such a misconfiguration that it won't accept the security risk of a misconfiguration at the site?

I appreciate your reply and explanation!! Bill Rogers