SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Browser Vendors:   Mozilla.org
(Vendor Issues Fix) Mozilla Firefox IDN Implementation Lets Remote Users Spoof URLs and SSL Certificates
SecurityTracker Alert ID:  1013302
SecurityTracker URL:  http://securitytracker.com/id/1013302
CVE Reference:   CVE-2005-0233   (Links to External Site)
Date:  Feb 25 2005
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.0
Description:   A vulnerability was reported in the Mozilla Firefox web browser in the processing of International Domain Names (IDNs). A remote user can spoof web sites, including secure web sites.

A remote user can conduct a 'homograph' attack to spoof a target web site. The remote user can create a specially crafted URL that, when loaded by the target user, will cause the browser to display a spoofed URL in the status bar but load a web page from a different web site with an IDN. If the destination site is running SSL and has a valid digital certificate, the browser will authenticate the site but display the spoofed URL as the authenticated URL.

For example, the international domain name of 'domаin' will be displayed as 'domain'.

Because an IDN is valid for obtaining digital certificates, a remote user can register a specially selected IDN and obtain a digital certificate to spoof arbitrary secure web sites.

A demonstration exploit is available at:

http://www.shmoo.com/idn/

The vendor was notified on January 19, 2005.

The original advisory is available at:

http://www.shmoo.com/idn/homograph.txt

Impact:   A remote user can spoof a web site, including a secure web site.
Solution:   A fixed version (1.0.1) is available at:

http://www.mozilla.org/products/firefox/all.html

In this fix, IDN URLs are displayed using puny code.

Vendor URL:  www.mozilla.org/products/firefox/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Feb 7 2005 Mozilla Firefox IDN Implementation Lets Remote Users Spoof URLs and SSL Certificates



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC