Closed Bug 253285 Opened 20 years ago Closed 20 years ago

security certificate spoofing reported in full-disclosure mailing list

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 253121

People

(Reporter: dovix2003, Assigned: bugzilla)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2

I got this link from a post in some Israeli forum. The sample spoofing page was
provided by the person who wrote that post (aparently not somebody who likes
Mozilla).

The link for the full-disclosure message is:

http://lists.netsys.com/pipermail/full-disclosure/2004-July/024372.html

It also contains information on how to reproduce the problem.

This is taken from full-disclosure:

--------------------------------

Firefox has caching problem, as a result of that someone can 
spoof a certificate of any website and use it as his/her own.
The problem is exploited using onunload inside  < body> and 
redirection using Http-equiv Refresh metatag,document.write()
and document.close()

First you direct the redirection metatag to the website 
of which you want to spoof the certificate, then inside 
the < body> tag you add onulnoad script so you can control
the output inside the webpage with the spoofed certificate.

After that you say to firefox, as soon as you unload this page 
close the stream, aparently the stream you close is 
the redirection website, you do that with 
document.close().

Now you can write anything you want , you do that 
using document.write(). After writing the content of you choice
you close the stream again , usually firefox wont display your content,
although if you check the source code you see it , so the last thing 
is to refresh the new page (do that using window.location.reload()), 
after that you have your domain name in the url field , your content 
in the browser and the magic yellow Lock on the bottom left corner, 
if you pass your mouse over it you will see displayed the name of 
the website you spoofed the certificate, if you double click on it you 
will check full information of the certificate without any warning !

You dont need to have SSL in your website ! it will work with 
http.

Additional using this bug malicious websites can bypass content 
filtering using SSL properties.

=====================
Proof Of Concept Code
=====================

< HTML>
< HEAD>
< TITLE>Spoofer< /TITLE>
< META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com">
< /HEAD>
< BODY 
onunload="
document.close();
document.writeln('< body onload=document.close();break;>
            < h3>It is Great to Use example's Cert!');

document.close();
window.location.reload();
">
< /body>

Reproducible: Always
Steps to Reproduce:

*** This bug has been marked as a duplicate of 253121 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.