Closed Bug 479561 Opened 17 years ago Closed 16 years ago

Not always warned about userinfo URL spoofing (e.g. http://somesite.com@malicious.com)

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: rayv5n, Unassigned)

Details

(Whiteboard: [sg:needinfo])

User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5 Using the @ symbol you can force a redirection of the Firefox browser by stipulating http://anyserver.com@anyotherserver.com where the goal is to send the user to anyotherserver.com. This doesn't appear to happen in Firefox version 2.x but seems to be a problem in the latest 3.x version. Reproducible: Always Steps to Reproduce: 1. Enter http://www.google.com@www.fish.com 2. Hit enter 3. Get redirected to www.fish.com Actual Results: Browser is redirected to the second URL Expected Results: Provide a warning "You are about to login to "www.fish.com with out a user account. Are you sure you want to be redirect to www.fish.com?" --- or something like what you get with older versions of Firefox I think this is just and older but a goodie. Hope you guys fix this quick!
I see the warning both when visiting a link and entering "http://foobar@nhl.com" directly into the location bar, using a recent trunk build and 3.0.6. Can you reproduce this with all extensions disabled or in a new profile?
Group: core-security
I turned off all my plugins restarted Firefox and I was not able to reproduce the problem. After re-enabling each plugin one by one and restarting firefox I was still unable to reproduce this. The problem also appears in Safari on my Intel Mac and I can reproduce this every time, restart, disable plugins what have you. Four other associates of mine are having the same problem and I have requested information on what they are running as well. I found this problem while doing a pen-test for a customer. So I'm trying to go back over my steps to see if something got introduced into my browsers environment. As soon as I can correlate what the others experiences are I'll report back.
On of the guys just chimed in with this information I have a bunch of plugins installed that would confuse the issue. But I have a vanilla Firefox 3.0.6 with no extensions/plugins/themes running in a VM under Windows and it exhibits the same behavior - the address bar changes to the unencoded url after the @ but Firefox displays the error "Firefox can't find the server at ...". I have Firefox 3.0.6 on NT Server 2003 and I don't have this problem. I get "You are about to log in to the site www.fish.com with username "www%2egoogle%2e.com", but the website doesn't require authentication" This maybe an attempt to trick you".....
I got another reply.. I am running Firefox 3.0.6 and Safari Version 3.2.1 (5525.27.1). On Firefox I got a warning message stating “Confirm: You are about to log into the site “www.fish.com” with the username “www%2Egoogle%2Ecom”, but the website does not require authentication. This may be an attempt to trick you. Is www.fish.com the site you want to visit?”. Safari did not give such a message.
You don't get the warning if the domain isn't found, http://anyserver.com@anyotherserver.com doesn't give a warning while http://www.google.com@www.fish.com should give you the warning after Gecko got a connection to the server and this works fine using FF3.0.6 and Seamonkey 1.9.1 branch on win32.
I concur, if using the IP address http://www.google.com@74.125.19.99, Firefox is redirected with out warning. Safari BTW doesn't warn you either way.
That works fine using Firefox3.0.6 and Seamonkey 1.9.1 branch, i get a warning with the IP as every other case in this bug. We can't reproduce your issues. Did you test this in the firefox safemode ?
Let's drop the incorrect and misleading term "redirected". The URL syntax is interpreted as http://[ username [ ":" password ] "@" ] host.tld "/" path Since the average user doesn't understand this it became a phisher's playground, using the spoof target site as the username and pushing the phisher's own host further down the URL string where users won't notice. There is no redirection, host.tld is always the host and the URI is syntactically logging in with a username that looks suspiciously like a well-known domain. Microsoft's response was to simply reject URLs with embedded userinfo, after all even the RFC's that define the syntax strongly recommend against using it. Mozilla has so far taken the approach of making sure users are told the real site they're connecting to. If you're not getting the "suspicious authentication" warning that's a bug we'd want to fix, if we can figure out how to reproduce it.
Component: Security → Networking
Product: Firefox → Core
QA Contact: firefox → networking
Summary: URL redirection using the @ symbol http://somesite.com@malicious.com → Not always warned about userinfo URL spoofing (e.g. http://somesite.com@malicious.com)
I'm still waiting to hear back from some of the others on whether or not they are having the same problem. So far the only think I've been able to link it to "POSSIBLY" is some Ajax script interaction I saw while looking at a particular website. After I logged out and restarted my browser I couldn't reproduce the problem. I'll report back once I have some solid information. thanks!
Whiteboard: [sg:needinfo]
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.