Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Wichio Lets Remote Users Spoof Javascript Dialog Boxes
|
|
SecurityTracker Alert ID: 1014297
|
|
SecurityTracker URL: http://securitytracker.com/id?1014297
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Jun 27 2005
|
Original Entry Date: Jun 27 2005
|
Impact: Disclosure of user information, Modification of user information
|
Exploit Included: Yes
|
Version(s): 4.2
|
Description: Juha-Matti Laurio reported a vulnerability in Wichio. A remote user can spoof Javascript dialog boxes.
The browser displays Javascript dialog boxes without indicating the origin of the dialog box. As a result, a remote user can create
HTML that will display a dialog box that appears to originate from a trusted site.
A demonstration exploit is available at:
http://secunia.com/multiple_browsers_dia
log_origin_vulnerability_test/
The vendor was notified on June 24, 2005.
Jakob Balle of Secunia Research originally discovered
this type of vulnerability, affecting a variety of browsers.
|
Impact: A remote user can spoof Javascript dialog boxes.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.wichio.com/ (Links to External Site)
|
Cause: State error
|
Underlying OS: Windows (Any)
|
Reported By: Juha-Matti Laurio <juha-matti.laurio@netti.fi>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 24 Jun 2005 05:40:51 +0300 (EEST)
From: Juha-Matti Laurio <juha-matti.laurio@netti.fi>
Subject: New 27 Tools-in-1 Wichio Browser Dialog Origin Spoofing Vulnerability
|
- Description:
The newest 27 Tools-in-1 Wichio Browser (aka Wichio) version 4.2,
released on 6th June 2005, is confirmed as affected to new remote type
Multiple Browsers Dialog Origin Vulnerability. Tests was done with
Secunia test page
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/ .
Result:
Result was similar when tested with fully patched Microsoft Internet
Explorer 6.0 (6.0.2800.1106) including cumulative Microsoft June
security update MS05-025. Issue was tested with Microsoft Windows XP
Professional US and default browser settings were in use. 'Full
Features' was selected at Customize Features menu when starting browser.
A default 'Glass Orb' skin was in use.
Opened Script Prompt asking 'password' at this test issue doesn't show
the origin url of the dialog box. This enables spoofing-type attacks.
Browser status bar shows the following text for 'Test Now - Left Click
On This Link' link:
http://www.google.com/
When selecting the test link at Secunia's Test Case / Demonstration
page, a JavaScript dialog box (in fact, JScript) was displayed in front
of the Google.com (or localized Google.fi etc.) web site without
information about its origin URL and/or domain name. Typed text was
appeared to generated 'You entered:' JScript dialog box later.
When tested, the focus was not switched back to Secunia site (i.e. tab)
automatically. Situation was different when compared to several other
browsers based to IE engine.
- Technical details:
A dialog box was opened via test-like PHP script, located at
http://www.google.com.secunia.com/tests/origin_spoof.php .
>From the vendor:
"27 Tools-in-1 Wichio Browser is a multi-page or tabbed web browser with
built-in 27 popular and useful utilities which serve all levels of
Internet users."
- Solution status:
Unpatched
Software:
Revopoint 27 Tools-in-1 Wichio Browser 4.x, aka Wichio
(shareware)
- Affected versions:
The vulnerability has been reported in version 4.2. Other versions may
also be affected as well. The exact .exe file version checked was
4.2.0.0.
Vendor:
Revopoint Co., Ltd.
Vendor Home Page:
http://www.wichio.com/
Product Home Page:
http://www.wichio.com/
- Download link for version tested:
http://www.wichio.com/download.htm
-> links to
http://download.com.com/3000-2356-10191876.html?part=115810&subj=dlpage&tag=button
OS: Microsoft Windows
CVE reference: N/A
- Solution:
Do not browse untrusted web sites when browsing trusted sites.
The following workarounds are provided and tested by the researcher:
- Check the URL address of a browser window opening new dialog box
titled as 'Explorer User Prompt' and containing text like 'Script
Prompt' etc. Dialog box title is localized in non-English language
Windows OSs, e.g. 'Explorerin käyttäjäkehote''. If the domain contains
multiple domain suffixes, for example
www.real-address.com.non-real-address.com, use the following workaround
method:
- When typing sensitive information to a Web site password-type dialog
boxes, be sure that this site is a legitimate site.
In Wichio Browser an internal security utility can be used to check web
site origin and some other properties:
- It is possible to use Utilities / IP-URL Checker (keyboard shortcut:
Shift-Ctrl-A) feature. Click Whois button when recent URL address is
located at the query box automatically.
NOTE: Using multiple domain suffixes may indicate a spoofing attempt.
Examining of the dialog box addressess can be done by View / Source
function etc.
Additionally, Microsoft has published a security advisory to help IE (or
software using IE's engine) users to avoid possible spoofing attemps;
located at
http://www.microsoft.com/technet/security/advisory/902333.mspx .
Vendor was contacted on 24th June, 2005 and workarounds were included to
the report.
Timeline:
22-06-2005 - Workaround information sent to local CERT-FI unit
23-06-2005 - CERT-FI replied, no security advisory about Internet
Explorer or IE based browsers coming
24-06-2005 - Vulnerability in Wichio Browser researched
24-06-2005 - Vendor contacted, workarounds offered to the vendor
24-06-2005 - Security companies and several CERT units contacted
24-06-2005 - Technical details and workarounds provided sent to
Microsoft Security Response Center
Best regards,
Juha-Matti Laurio, Networksecurity.fi
Security researcher
Finland
http://www.networksecurity.fi
|
|
Go to the Top of This SecurityTracker Archive Page
|
