SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Browser Vendors:   Mozilla.org
Mozilla Firefox IDN Implementation Lets Remote Users Spoof URLs and SSL Certificates
SecurityTracker Alert ID:  1013097
SecurityTracker URL:  http://securitytracker.com/id/1013097
CVE Reference:   CVE-2005-0233   (Links to External Site)
Updated:  Feb 25 2005
Original Entry Date:  Feb 7 2005
Impact:   Modification of system information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0
Description:   A vulnerability was reported in the Mozilla Firefox web browser in the processing of International Domain Names (IDNs). A remote user can spoof web sites, including secure web sites.

A remote user can conduct a 'homograph' attack to spoof a target web site. The remote user can create a specially crafted URL that, when loaded by the target user, will cause the browser to display a spoofed URL in the status bar but load a web page from a different web site with an IDN. If the destination site is running SSL and has a valid digital certificate, the browser will authenticate the site but display the spoofed URL as the authenticated URL.

For example, the international domain name of 'domаin' will be displayed as 'domain'.

Because an IDN is valid for obtaining digital certificates, a remote user can register a specially selected IDN and obtain a digital certificate to spoof arbitrary secure web sites.

A demonstration exploit is available at:

http://www.shmoo.com/idn/

The vendor was notified on January 19, 2005.

The original advisory is available at:

http://www.shmoo.com/idn/homograph.txt

Impact:   A remote user can spoof a web site, including a secure web site.
Solution:   No solution was available at the time of this entry.

As a workaround, you can disable IDN support by setting the 'network.enableIDN' configuration parameter to false.

[Editor's note: On February 7, 2005, Ian Pilcher reported that the Mozilla workaround does not work, at least on Linux platforms. Mozilla will initially ignore IDN lookups, but after browser restart will support IDN even though the configuration parameter is set to 'false'.]

Vendor URL:  www.mozilla.org/products/firefox/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 25 2005 (Vendor Issues Fix) Mozilla Firefox IDN Implementation Lets Remote Users Spoof URLs and SSL Certificates
The vendor has issued a fix.
Mar 24 2005 (Red Hat Issues Fix) Mozilla Firefox IDN Implementation Lets Remote Users Spoof URLs and SSL Certificates
The vendor has released a fix.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC