Closed Bug 1234022 Opened 10 years ago Closed 10 years ago

UTF-8 Unicode Charset Exploitable.

Categories

(Core :: DOM: HTML Parser, defect)

Product:
Core
Component:
DOM: HTML Parser
Version:
43 Branch
Platform:
All
Unspecified
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: adrian.katong, Unassigned, Mentored)

Details

Attachments

(1 file)

screenshot.png
354.64 KB, image/png
Details
Hello i'm from malaysia and my name is Adrian Aldan today i encounter with very potentail vurnerbility on html UTF-8 Unicode Charset system. By putting this header on html. and good html skills hacker are potentail to create a phising page and disguise as the original website. sample of the code. <html> <!--Using meta redirect--> <meta http-equiv="Refresh" content="0; url= data:text/html;charset=utf-8&https://www.dropbox.com/business/secure/login;base64,[YOUR BASE64 CODE] </html> see the example link here phising page http://goo.gl/ZTqrBm how ever only firefox are infected with this kind of attack. firefox version 43.0.1
Hello, so this bug is useless?
Attached image screenshot.png
Here is what I see. I believe you are saying that the ability to put a URL in the URL bar here - after the data: scheme - could mislead a user into thinking that they are on a given domain. Please correct me if I'm wrong.
It seems this is a potential spoofing issue. data:text/html;charset=utf-8&<anything you like to try to spoof the url>;base64,<base64 data containing spoofed page>
" Here is what I see. I believe you are saying that the ability to put a URL in the URL bar here - after the data: scheme - could mislead a user into thinking that they are on a given domain. Please correct me if I'm wrong." Yes this is what i'm talking about spoofing. it will miss leadning the client to think that they are on real website. even worst people can make bank page to look more real like they were there.
" It seems this is a potential spoofing issue. data:text/html;charset=utf-8&<anything you like to try to spoof the url>;base64,<base64 data containing spoofed page> " Yes sir that is correct, people can make any page and put anything that in they mind.
Hello i dont understand here this is my first time reporting bug. i hope my bug are qualify to get bug bounty.. please reply
I don't think this is a serious concern. There are many ways to put this string in the URL bar, and none of them will trick the browser into displaying it as a legitimate domain. Note that in your sample, the (quasi-spoofed) domain is not shown in bold text as it normally would be. It is not in the location that a user would expect it in, either. So based on that, I think that there is nothing incorrect here.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: