SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   AMBrowser Vendors:   AMBrowser.com
AMBrowser Lets Remote Users Spoof Javascript Dialog Boxes
SecurityTracker Alert ID:  1014314
SecurityTracker URL:  http://securitytracker.com/id/1014314
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 28 2005
Impact:   Disclosure of user information, Modification of user information
Exploit Included:  Yes  
Version(s): 2.0.0
Description:   Juha-Matti Laurio reported a vulnerability in AMBrowser. A remote user can spoof Javascript dialog boxes.

The browser displays Javascript dialog boxes without indicating the origin of the dialog box. As a result, a remote user can create HTML that will display a dialog box that appears to originate from a trusted site.

A demonstration exploit is available at:

http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/

The vendor was notified on June 26, 2005.

Jakob Balle of Secunia Research originally discovered this type of vulnerability, affecting a variety of browsers.

Impact:   A remote user can spoof Javascript dialog boxes.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ambrowser.com/ (Links to External Site)
Cause:   State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  New AM Browser Dialog Origin Spoofing Vulnerability


- Description:
The newest AM Browser version 2.0.0, released on 21th June 2005, is 
confirmed as affected to new remote type Multiple Browsers Dialog Origin 
Vulnerability. Tests was done with Secunia test
page
http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/ .

- Result:
Result was similar when tested with fully patched Microsoft Internet 
Explorer 6.0 (6.0.2800.1106) including cumulative Microsoft June 
security update MS05-025. Issue was tested with Microsoft Windows XP 
Professional US and default browser settings were in use.

Opened Script Prompt asking 'password' at this test issue doesn't show 
the origin url of the dialog box. Internal Pop-up Blocker doesn't 
prevent a new dialog box to open. This enables spoofing-type
attacks.
Browser status bar shows the following text for 'Test Now - Left Click 
On This Link' link:
http://www.google.com/
Menu setting Tools / Allow Pop-ups (F8) is disabled by default. Menu 
setting Enable Smart Pop-up Blocker ('Blocks Popups automatically') is 
enabled by default.

When selecting the test link at Secunia's Test Case / Demonstration 
page, a JavaScript dialog box (in fact, JScript) was displayed in front 
of the Google.com (or localized Google.fi etc.) web site without
information about its origin URL and/or domain name. Typed text was 
appeared to generated 'You entered:' JScript dialog box later.

- Technical details:
A dialog box was opened via test-like PHP script, located at 
http://www.google.com.secunia.com/tests/origin_spoof.php . This 
malicious test-type address was not shown to user, however.

>From the vendor:
"Enhance your Web browsing experience! AM Browser is a powerful Web 
browser. It provides many features that make surfing the web more 
comfortable and less confusing. It has the ability to open multiple 
sites and windows inside a single browser task. This Web browser also 
has a Smart Pop-up Blocker - it blocks all the annoying pop-ups 
automatically!"

- Solution status:
No solution was available at the time of reporting.

- Software:
AMBrowser.com AM Browser 2.x
(freeware)

- Affected versions:
The vulnerability has been reported in version 2.0.0. Other versions may 
also be affected as well. The exact .exe file version checked was 
2.0.0.0.

- Vendor:
AMBrowser.com

Vendor Home Page:
http://www.ambrowser.com/

Product Home Page:
http://www.ambrowser.com/

Download link for version tested:
http://www.ambrowser.com/download.htm

OS: Microsoft Windows

CVE reference: N/A

- Solution:
Do not browse untrusted web sites when browsing trusted sites.

The following workarounds are provided and tested by the researcher:
- Check the URL address of a browser window opening new dialog box 
titled as 'Explorer User Prompt' and containing text like 'Script 
Prompt' etc. in some way. Dialog box title is localized in non-English
contains multiple domain suffixes, for example
www.real-address.com.non-real-address.com, use the following workaround 
method:
- When typing sensitive information to a Web site password-type dialog 
boxes, be sure that this site is a legitimate site.

NOTE: Using multiple domain suffixes may indicate a spoofing attempt. 
Examining of the dialog box addressess can be done by View / Source 
function etc. In this demonstration page mentioned the JavaScript code 
used is the following:
window.open('http://www.google.com.secunia.com/tests/origin_spoof.php' .

Additionally, Microsoft has published a security advisory to help IE (or 
software using IE's engine) users to avoid possible spoofing attemps; 
located at
http://www.microsoft.com/technet/security/advisory/902333.mspx .

Vendor was contacted on 26th June, 2005 with e-mail. Workarounds were 
included to the
report.

Timeline:
22-06-2005 - Workaround information sent to local CERT-FI unit
23-06-2005 - CERT-FI replied, no security advisory about Internet 
Explorer or IE based browsers coming
24-06-2005 - Technical details and workarounds provided sent to 
Microsoft Security Response Center
24-06-2005 - MSRC replied
25-06-2005 - Vulnerability in AM Browser researched
26-06-2005 - Vendor contacted, workarounds offered to the vendor
26-06-2005 - Security companies and several CERT units contacted


Best regards,
Juha-Matti Laurio, Networksecurity.fi
Security researcher
Finland
http://www.networksecurity.fi
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC