User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040727 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040727 A recent report has hit Bugtraq about a Mozilla certificate spoofing vulnerability. More information can be found here: http://www.securityfocus.com/archive/1/369953/2004-07-25/2004-07-31/2 I have tested this on Mozilla 1.7 and Firefox 0.9 on various platforms using various different versions and can consistently reproduce the error when valid exploit code is used. Reproducible: Always Steps to Reproduce: 1. Copy the example code into a new file, fix the errors caused by the copy/paste and/or put in by the author 2. Put in a real https site in place of example.com 3. Browse to the example code Actual Results: The content inserted by the code is shown as the validated web page even though it is not the real content from that web page. The lock is shown closed and browsing to the certificate shows the certificate from the spoofed page. Expected Results: The lock should open adn show the site as insecure, not using the spoofed site certificate. This bug has been publicly posted to bugtraq, so it is now "in the wild."
This was fixed last night on trunk, 1.7 branch, and aviary branch, and this morning on the 1.4 branch. *** This bug has been marked as a duplicate of 253121 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.