Closed
Bug 441811
Opened 17 years ago
Closed 15 years ago
Invalid IDN characters show up as "?" and can be used to spoof the address bar
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: u315569, Unassigned)
References
()
Details
(Whiteboard: [sg:low spoof])
Attachments
(1 file)
|
1.92 KB,
image/png
|
Details |
screenshot of testcase with Firefox 3 on Windows
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14
The question mark sign can be used in a URL to end the hostname. When a punycode URL contains non-existing unicode characters, they show up as a question mark as well. This allows anybody to insert a question mark inside the hostname and spoof the address bar by making it look as if the content comes from one site, where in reality it comes from another.
Reproducible: Always
Steps to Reproduce:
Opent this URL:
* http://www.google.xn--comsearchwww-dp5iq36f.skylined.de/
Actual Results:
Address bar looks like this:
http://www.google.com?search=www.skylined.de/user/index.php
Expected Results:
Address bar should look like this:
http://www.google.xn--comsearchwww-dp5iq36f.skylined.de/
I do NOT own skylined.de. I found it conveniently uses a DNS wildcard and is in the IDN whitelist, which allows me to use it in the PoC URL.
|
||
Updated•17 years ago
|
Component: General → Security
QA Contact: general → firefox
Version: unspecified → 2.0 Branch
|
|
||
Comment 1•17 years ago
|
||
I'll let dveditz weigh in, of course, but in Firefox 3 we render IDN in the location bar, instead of ? placeholders, so I believe this bug is FIXED.
I think we're very unlikely to port that code back to the v2 branch though, since there is significant code change involved, and Firefox 3 is now available to the public.
|
||
Comment 2•17 years ago
|
||
(In reply to comment #1)
> in Firefox 3 we render IDN in the location bar, instead of ? placeholders, so I
> believe this bug is FIXED.
Assuming you have a suitable font installed, of course - usually the case on Mac, less often so on Windows.
The Firefox 3 "missing font" glyph is a little box with the character's unicode codepoint written in hex instead of "?", though, which mitigates this somewhat... it's still pretty confusing.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Comment 3•17 years ago
|
||
|
|
||
Updated•17 years ago
|
OS: Windows Vista → All
Hardware: PC → All
Whiteboard: [sg:low spoof]
It's been half a year - is anything being done about this?
Exploitability requires the right font installed on the target machine. Gavin obviously does not, I expect he has a default Windows XP. Regardless, there may be user who have the right font installed or an attacker can use other UNICODE chars that can be used to trick a user on Windows XP. Vista seems to have more UNICODE chars by default so is more susceptible.
Determining which fonts are installed should be possible using HTML/JavaScript by setting fonts and testing the size of specific characters. An attacker could choose the best UNICODE chars for the available fonts on a victim's machine.
Highlighting the server name part of a URL would be a good solution to this problem, something other browsers are already doing. Are there plans for adding that feature to Firefox?
|
|
||
Comment 5•15 years ago
|
||
The current behaviour is to display the glyph with the four tiny hex characters, which is designed so it can't be confused with any other. Therefore, I don't think there's anything else to do here.
Gerv
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → WORKSFORME
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
||
Updated•10 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•