Closed Bug 281496 Opened 21 years ago Closed 21 years ago

IDN spoofing test shows Firfox vulnerability

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED DUPLICATE of bug 279099

People

(Reporter: dermotos, Assigned: bugzilla)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 -----Original Message----- From: Secunia Security Advisories [mailto:sec-adv@secunia.com] Sent: 07 February 2005 15:30 To: Fuller, Rupert Subject: [SA14163] Mozilla / Firefox / Camino IDN Spoofing Security Issue TITLE: Mozilla / Firefox / Camino IDN Spoofing Security Issue SECUNIA ADVISORY ID: SA14163 VERIFY ADVISORY: http://secunia.com/advisories/14163/ CRITICAL: Moderately critical IMPACT: Spoofing WHERE: From remote SOFTWARE: Mozilla 1.7.x http://secunia.com/product/3691/ Mozilla Firefox 0.x http://secunia.com/product/3256/ Mozilla Firefox 1.x http://secunia.com/product/4227/ DESCRIPTION: Eric Johanson has reported a security issue in Mozilla / Firefox / Camino, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar. The problem is caused due to an unintended result of the IDN (International Domain Name) implementation, which allows using international characters in domain names. This can be exploited by registering domain names with certain international characters that resembles other commonly used characters, thereby causing the user to believe they are on a trusted site. Secunia has constructed a test, which can be used to check if your browser is affected by this issue: http://secunia.com/multiple_browsers_idn_spoofing_test/ The issue has been confirmed in Mozilla 1.7.5 and Firefox 1.0. Other versions may also be affected. SOLUTION: Disable IDN support by setting network.enableIDN to "false". Don't follow links from untrusted sources. Manually type the URL in the address bar. PROVIDED AND/OR DISCOVERED BY: Originally described by: Evgeniy Gabrilovich and Alex Gontmakher Reported by: Eric Johanson ORIGINAL ADVISORY: http://www.shmoo.com/idn/homograph.txt OTHER REFERENCES: The Homograph Attack: http://www.cs.technion.ac.il/~gabr/papers/homograph.html ICANN paper on IDN Permissible Code Point Problems: http://www.icann.org/committees/idn/idn-codepoint-paper.htm ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=rupert.fuller%40pioneerinvest.ie ---------------------------------------------------------------------- Reproducible: Always
*** This bug has been marked as a duplicate of 279099 ***
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Resolution: --- → DUPLICATE
verified dupe
Status: RESOLVED → VERIFIED
Depends on: punycode
No longer depends on: punycode
You need to log in before you can comment on or make changes to this bug.