Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Browser)  >   KDE Konqueror Vendors:
KDE Konqueror IDN Implementation Lets Remote Users Spoof URLs and SSL Certificates
SecurityTracker Alert ID:  1013098
SecurityTracker URL:
CVE Reference:   CVE-2005-0237   (Links to External Site)
Updated:  Mar 16 2005
Original Entry Date:  Feb 7 2005
Impact:   Modification of system information
Exploit Included:  Yes  

Description:   A vulnerability was reported in the KDE Konqueror web browser in the processing of International Domain Names (IDNs). A remote user can spoof web sites, including secure web sites.

A remote user can conduct a 'homograph' attack to spoof a target web site. The remote user can create a specially crafted URL that, when loaded by the target user, will cause the browser to display a spoofed URL in the status bar but load a web page from a different web site with an IDN. If the destination site is running SSL and has a valid digital certificate, the browser will authenticate the site but display the spoofed URL as the authenticated URL.

For example, the international domain name of 'domаin' will be displayed as 'domain'.

Because an IDN is valid for obtaining digital certificates, a remote user can register a specially selected IDN and obtain a digital certificate to spoof arbitrary secure web sites.

A demonstration exploit is available at:

Eric Johanson reported this flaw.

The original advisory is available at:

Impact:   A remote user can spoof a web site, including a secure web site.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 23 2005 (Fedora Issues Fix) KDE Konqueror IDN Implementation Lets Remote Users Spoof URLs and SSL Certificates
Fedora has released a fix.

 Source Message Contents

[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC