SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Opera Vendors:   Opera Software
Opera IDN Implementation Lets Remote Users Spoof URLs and SSL Certificates
SecurityTracker Alert ID:  1013096
SecurityTracker URL:  http://securitytracker.com/id/1013096
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 7 2005
Impact:   Modification of system information
Exploit Included:  Yes  
Version(s): 7.54
Description:   A vulnerability was reported in the Opera web browser in the processing of International Domain Names (IDNs). A remote user can spoof web sites, including secure web sites.

A remote user can conduct a 'homograph' attack to spoof a target web site. The remote user can create a specially crafted URL that, when loaded by the target user, will cause the browser to display a spoofed URL in the status bar but load a web page from a different web site with an IDN. If the destination site is running SSL and has a valid digital certificate, the browser will authenticate the site but display the spoofed URL as the authenticated URL.

For example, the international domain name of 'domаin' will be displayed as 'domain'.

Because an IDN is valid for obtaining digital certificates, a remote user can register a specially selected IDN and obtain a digital certificate to spoof arbitrary secure web sites.

A demonstration exploit is available at:

http://www.shmoo.com/idn/

The vendor was notified on January 19, 2005.

The original advisory is available at:

http://www.shmoo.com/idn/homograph.txt

Impact:   A remote user can spoof a web site, including a secure web site.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.opera.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  BeOS, Linux (Any), Apple (Legacy "classic" Mac), QNX, UNIX (FreeBSD), UNIX (macOS/OS X), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC