Firefox Browser URL Spoofing Vulnerability

[R. L.]

Just saw this one:

http://www.netsquirrel.com/articles/mozilla_spoofing.html

It does not affect IE, but Moz and FF.






--
RL
My freeware page here:
http://home.earthlink.net/~ringomei/
********************************
Pricelessware:
http://www.pricelessware.org, http://www.pricelesswarehome.org,

 

[wald]

http://www.netsquirrel.com/articles/mozilla_spoofing.html

Just to give the full story: IE isn't vulnerable because it doesn't
implement IDN (International Domain Name) character support. There
are plugins for IE that provide this functionality, and in those
cases the bug affects IE just as well.
Example: http://www.idnnow.com/index.jsp

So, this is not a case where IE has a better implementation of
certain functionality than any other browser. It's just that IE does
not implement this international domain naming standard yet, and is
lucky that this renders it immune for this specific bug.

More info: http://it.slashdot.org/article.pl?sid=05/02/07/1323206
&tid=172&tid=113&tid=154&tid=95&tid=1

Regards,
Wald

 

[wald]

Just saw this one:

http://www.netsquirrel.com/articles/mozilla_spoofing.html

It does not affect IE, but Moz and FF.

Besides, it works just as well in Opera, Konqueror, Safari and any
other browser than IE that implements the IDN standard.

I'm sorry, but you should provide full information in posts like
these.

Kind regards,
Wald

 

[Mouse]

It's just that IE does not implement this international domain
naming standard

Hehehe, IE thinks it owns the WWW, doesn't it?

 

[Nolan Doyle]

Just saw this one:

http://www.netsquirrel.com/articles/mozilla_spoofing.html

It does not affect IE, but Moz and FF.

To render FF immune to this vulnerability:

-type 'about:config' in the location bar
-filter on 'IDN'
-toggle to value of 'network.enableIDN' to FALSE

Obviously this is only a workaround but it works, try the test on
http://secunia.com/multiple_browsers_idn_spoofing_test before and after
applying the modification described above.

 

[wald]

To render FF immune to this vulnerability:

<snip>

It's not a definite fix for the problem...

Firefox seems to have some quirks when starting up, and in this case
the enableIDN option is not correctly read. Result: after a browser
restart, the option is still set to "false" in about:config, BUT
Firefox doesn't mind and goes on with IDN enabled.

Wald

 

[bambam]

To render FF immune to this vulnerability:

-type 'about:config' in the location bar
-filter on 'IDN'
-toggle to value of 'network.enableIDN' to FALSE

Obviously this is only a workaround but it works, try the test on
http://secunia.com/multiple_browsers_idn_spoofing_test before and after
applying the modification described above.

According to the article above this doesn't work-

<quote>

Now for the REALLY bad There's no way to fix this problem. Yet.
[Setting network.enableIDN to false in about:config doesn't actually work,
despite rumors to the contrary floating around the blogsphere.] Should you
panic? As I said, no! But, until the browser gurus find a fix, you should
take the following precautions:

<quote>

http://www.netsquirrel.com/articles/mozilla_spoofing.html

 

[Ed]

To render FF immune to this vulnerability:

-type 'about:config' in the location bar
-filter on 'IDN'
-toggle to value of 'network.enableIDN' to FALSE

Obviously this is only a workaround but it works, try the test on
http://secunia.com/multiple_browsers_idn_spoofing_test before and after
applying the modification described above.

Is there any downside to making this change? What are the implications
of switching off the IDN implementation?

Ed

 

[EA]

To render FF immune to this vulnerability:

-type 'about:config' in the location bar
-filter on 'IDN'
-toggle to value of 'network.enableIDN' to FALSE

Obviously this is only a workaround but it works, try the test on
http://secunia.com/multiple_browsers_idn_spoofing_test before and
after applying the modification described above.

Apparently, this fix does not work. However, I'm wondering whether
it is possible to write a Proxomiron filter that detects this and
replaces the link with a warning. I'll try to experiment with that
when I'll have some free time. In the meantime, anyone else who
writes proxo filters might want to look into that possibility.

E.

 

[EA]

Apparently, this fix does not work. However, I'm wondering whether
it is possible to write a Proxomiron filter that detects this and
replaces the link with a warning. I'll try to experiment with that
when I'll have some free time. In the meantime, anyone else who
writes proxo filters might want to look into that possibility.

E.

One more thing:

I haven't had time to play with this or investigate it in depth but
it seems that such addresses contain the character "&". A proxo
filter can detect this and add a warning next to the tag. Not an
ideal solution but it should work until a better solution is
implemented...

E.

 

[Denis Vanneste]

wald wrote :

It's not a definite fix for the problem...

Firefox seems to have some quirks when starting up, and in this case
the enableIDN option is not correctly read. Result: after a browser
restart, the option is still set to "false" in about:config, BUT
Firefox doesn't mind and goes on with IDN enabled.

You are right. But I think I found another (partial) solution : when
the Linkification extension is enabled, the false link is interpreted
by Firefox as a simple character string, and the HREF specification is
ignored. In the Netsquirrel.com example, the linkified
"http://www.paypal.com/" string leads to the real PayPal page. If I ask
to "unlinkify text", it leads to the "meeow" page.

Of course, this would not work if the link was displayed as "Go to
PayPal" or anything else, instead of the URL "http://www.paypal.com/".
In this case, it could not be linkified.

 

[Susan Bugher]

<quote>

Now for the REALLY bad There's no way to fix this problem. Yet.
[Setting network.enableIDN to false in about:config doesn't actually work,
despite rumors to the contrary floating around the blogsphere.] Should you
panic? As I said, no! But, until the browser gurus find a fix, you should
take the following precautions:

<quote>

http://www.netsquirrel.com/articles/mozilla_spoofing.html

a couple of simple tests. . .

If I paste the fake URL into Treepad (plain text only) I see:
http://www.p?ypal.com/

If I paste it into this post (Mozilla - set to plain text only) it looks
okay but I get a warning when I send it and the URL is changed to:

http://www.pаypal.com/

Susan

 

[Iain Cheyne]

You are right. But I think I found another (partial) solution : when
the Linkification extension is enabled, the false link is interpreted
by Firefox as a simple character string, and the HREF specification is
ignored. In the Netsquirrel.com example, the linkified
"http://www.paypal.com/" string leads to the real PayPal page. If I ask
to "unlinkify text", it leads to the "meeow" page.

Of course, this would not work if the link was displayed as "Go to
PayPal" or anything else, instead of the URL "http://www.paypal.com/".
In this case, it could not be linkified.

No, this does not work. The original spoofed address is still sending you
to the "meeow" page.

Maybe you were confused by all the "linkified links"? I have set the
extension to colour my linkified links green with a yellow background, so I
can always spot them.

 

[Mike S.]

Apparently, this fix does not work. However, I'm wondering whether
it is possible to write a Proxomiron filter that detects this and
replaces the link with a warning. I'll try to experiment with that
when I'll have some free time. In the meantime, anyone else who
writes proxo filters might want to look into that possibility.

What about Spoofstick? The toolbar that is supposed to display the "real"
site name ... is it fooled by this?

http://www.corestreet.com/spoofstick

 

[Denis Vanneste]

Iain Cheyne wrote :

No, this does not work. The original spoofed address is still
sending you to the "meeow" page.

Maybe you were confused by all the "linkified links"? I have set
the extension to colour my linkified links green with a yellow
background, so I can always spot them.

No, I'm not confused. The spoofed address (the one under this
sentence : "Well, just click on the following hyperlink to PayPal")
actually sends me to the PayPal site when it's linkified. If I had not
tried the "Unlinkify text" option, I would never have seen this "meeow"
page. I really wonder why it doesn't work for you, but it works for me.

I copied the link target in the clipboard and watched the result in
Yankee Clipper. When unlinkified, it looks like this :

http://www.p?ypal.com/

When linkified, I get the normal PayPal URL.

By the way, my linkified links have the same colours as yours (they
might be default colours, since I don't remember having set them).

 

[Daze N. Knights]

What about Spoofstick? The toolbar that is supposed to display the "real"
site name ... is it fooled by this?

http://www.corestreet.com/spoofstick

No good. I just tried Spoofstick and got the meow page while Spoofstick
was claiming I was at www.paypal.com.

Daze

 

[Guest]

I've written a quick hacky fix for this:
http://www.scovettalabs.com/advisory/SCL-2005.002.txt

Michael Scovetta
Scovetta Labs

 

[me]

One more thing:

I haven't had time to play with this or investigate it in
depth but it seems that such addresses contain the
character "&". A proxo filter can detect this and add a
warning next to the tag. Not an ideal solution but it
should work until a better solution is implemented...

E.

Not just "&". A line in "URL Killfile.txt" can prevent it.

Little harder (more testing) is to avoid false-positives.

J

 

[John Fitzsimons]

I've written a quick hacky fix for this:
http://www.scovettalabs.com/advisory/SCL-2005.002.txt

A pretty useless solution for people who have no idea what a proxy.pac
file is and/or how it is installed/used.

 

[Guest]

Then feel perfectly free not to use it. You could always learn about
what a proxy.pac file is and how it is used and installed, or maybe you
could come up with a fix yourself that's easier to understand.

Or you could just bitch about it being too complicated.