Closed Bug 250629 Opened 21 years ago Closed 21 years ago

Mozilla 1.7 (and presumably below) allows PHP spoofing of the URL of a site

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: steven, Assigned: dveditz)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040616 I received a clever phishing email (which I caught onto rather quickly, BTW) and in the process of reporting it to the Anti-Phishing working Group noticed that the site called was set up to spoof the URL using a PHP script, but that this did not work in newer versions of IE. Curious, I went to the site listed, and it spoofed Mozilla like a charm. The actual URL (http://218.36.41.188/us/index.php) showed up in the browser as a legit US Bank URL (http://www.usbank.com/cgi_w/cfm/acct_login.cfm) when, in fact, it was still the phisher's site. This should be fixed as a security measure. Reproducible: Always Steps to Reproduce: 1. Go to a well-done phishing site (such as http://218.36.41.188/us/index.php) 2. Look at the URL in the address bar Actual Results: URL was spoofed to look like it was a legit USBank.com site Expected Results: Displayed the true URL
Assignee: general → dveditz
Component: Browser-General → Security: General
QA Contact: general
No, it isn't, the spoofer site sends: <script language="JavaScript"> location.href=unescape('http://www.usbank.com/cgi_w/cfm/acct_login.cfm'); </script> So normal JS redirect to the usbank site and correct URL in url bar. -->invalid
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → INVALID
Sorry, but that's incorrect. Go here to read all about it: http://www.antiphishing.org/phishing_archive/07-09-04_US_Bank_(Important_U.S._Bank_eNews).html The site uses a URL to redirect. Try going to the phish site specified in the most recent IE and you'll see what I mean. The Javascript never actually executes as far as I can tell.
Oops. That last one should have read "uses a PHP script to redirect," not "uses a URL." Think one thing, type another.
See what http://web-sniffer.net/?url=http%3A%2F%2F218.36.41.188%2Fus%2Findex.php&submit=Submit&gzip=yes&type=GET tells me: HTTP Status Code: HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 CRLF Date: Sat, 10 Jul 2004 07:30:47 GMT CRLF Connection: close CRLF Content-type: text/html CRLF X-Powered-By: PHP/4.3.7 CRLF Content (0.12 KiB) <script language="JavaScript"> location.href=unescape('http://www.usbank.com/cgi_w/cfm/acct_login.cfm'); </script> There is no redirect header, it just sets a new location. I checked it also with Venkman, the integrated JS Debugger in Mozilla that you get redirected via JS. Maybe you get a different site with IE?
Exactly, see what IE gets here (captured via Ethereal): GET /us/index.php HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* Accept-Language: de ~~~~~~~~~~~~~~~: ~~~~~ ~~~~~~~ User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: 218.36.41.188 Connection: Keep-Alive HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sat, 10 Jul 2004 07:36:51 GMT Connection: close Content-type: text/html X-Powered-By: PHP/4.3.7 <script language="JavaScript"> location.href=unescape('http://www.usbank.com%01@218.36.41.188/us/login.html'); </script>
I think I get what you're saying. You are saying that the code that is intended to fool IE users into thinking they've been redirected to the legit US Bank does, in fact, actually redirect Mozilla users to the legit US Bank site?
Exactly, this site tries to fool IE users only, maybe because the site uses the @ bug in IE.
You need to log in before you can comment on or make changes to this bug.