SecurityTracker Alert ID: 1014265|
SecurityTracker URL: http://securitytracker.com/id/1014265
(Links to External Site)
Date: Jun 22 2005
Disclosure of user information, Modification of user information|
Exploit Included: Yes |
A demonstration exploit is available at:
The vendor was notified on June 22, 2005.
Jakob Balle of Secunia Research originally discovered this type of vulnerability, affecting a variety of browsers.
No solution was available at the time of this entry.|
Vendor URL: www.netcaptor.com/ (Links to External Site)
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: New NetCaptor Browser Dialog Origin Spoofing Vulnerability|
The newest NetCaptor Browser version 7.5.4 (released 2/18/2005) is
confirmed as affected to new
remote type Multiple Browsers Dialog Origin Vulnerability.
Tests was done with Secunia test page
Result was just similar when tested with fully patched Microsoft
Internet Explorer 6.0 including cumulative Microsoft June security
update MS05-025. Issue was tested with Windows XP Professional US and
default browser settings were in use. AI RoboForm password manager
plugin was not installed to a system.
Opened Script Prompt asking 'password' at this test issue doesn't show
the origin url of the dialog box. This enables spoofing-type attacks.
Google.com web site without information about its origin URL and/or
Typed text was appeared to generated 'You entered:' JScript dialog box.
>From the vendor:
"NetCaptor is the most powerful web browser on the planet! Other
browsers only show one page at a time or squish them together in an
overlapping mess. NetCaptor gives each web site its own tab!"
- Solution status:
- Affected versions:
The vulnerability has been reported in version 7.5.4 Personal Edition.
Other versions may also be affected as well. The exact file version
checked was 220.127.116.119. The UserAgent string was Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; NetCaptor 7.5.4).
Commercial version NetCaptor Pro was not tested by the researcher.
Vendor Home Page:
- Download link for version tested:
Do not browse untrusted web sites when browsing trusted sites.
Vendor was contacted on 22th June, 2005 and workaround was included to
This issue was assigned as SA15491, FrSIRT/ADV-2005-0820, X-Force
ID1010894 etc. when writing this report.
21-06-2005 - Vulnerability researched
22-06-2005 - Detailed discovery
22-06-2005 - Vendor contacted, workaround offered to the vendor
22-06-2005 - Security companies and several CERT units contacted
Vendor's recent company and contact information was submitted to Open
Source Vulnerability Database's (OSVDB) Vendor Dictionary and several
commercial security companies providing vendor databases to help
customers to inform security issues at Stilesoft products.
Juha-Matti Laurio, Networksecurity.fi