Firefox Browser URL Spoofing Vulnerability

E

EA

(e-mail address removed) typed in
Not just "&". A line in "URL Killfile.txt" can prevent it.

Little harder (more testing) is to avoid false-positives.

J
Click to expand...

My suggestion would lead to false positives because there are
legitimate links that use unicode characters (unlikely to be found in
pages from countries that use Roman characters but still....).
That's why I suggested adding a "warning" next to the link instead of
using the killfile. One could then check out the URL if there is
such a warning and determine if it's legit. That should be a rare
situation anyway so false positives would not be a big problem...

Why not just "&"? I might be wrong here but I thought that all
unicode characters have "&" when they are represented as ascii. I
plan to work on a proxo filter on this over the weekend, so if I'm
wrong about the unicode, please correct me....

E.
 
E

EA

(e-mail address removed) typed in


My suggestion would lead to false positives because there are
legitimate links that use unicode characters (unlikely to be found
in pages from countries that use Roman characters but still....).
That's why I suggested adding a "warning" next to the link instead
of using the killfile. One could then check out the URL if there
is such a warning and determine if it's legit. That should be a
rare situation anyway so false positives would not be a big
problem...

Why not just "&"? I might be wrong here but I thought that all
unicode characters have "&" when they are represented as ascii. I
plan to work on a proxo filter on this over the weekend, so if I'm
wrong about the unicode, please correct me....

E.
Click to expand...


OK...couldn't wait until the weekend :)

I haven't had the time to test this so I don't know about false
positives or how well it works in general, etc., but it does work on
the page with the vulnerability example. My understanding is that
this spoofing method works by using html equivalents of ascii
characters. These characters need the "&" symbol. The filter issues
an alert message saying that one of the links might be spoofed.
Also, it turns the link into plain text.

Bounds: <a href=*>
Match: *[\&]*
Replace: $ALERT(Mozilla: One or more URLs on this page MIGHT be
spoofed. Please check for false positives.)

If you get alerts on legit pages, then there are too many false
positives and the filter needs more work. I don't see why legit URLs
should have the "&" character but...

E.
 
C

Chaos Master

This is EA for forever:
Bounds: <a href=*>
Match: *[\&]*
Replace: $ALERT(Mozilla: One or more URLs on this page MIGHT be
spoofed. Please check for false positives.)

If you get alerts on legit pages, then there are too many false
positives and the filter needs more work. I don't see why legit URLs
should have the "&" character but...
Click to expand...

I've seen pages with URL's like:

http://url.url.url/script.php?parameter1=aaaaa&parameter2=bbbbb

Would this break this rule?

[]s
--
Chaos Master®, posting from Canoas, Rio Grande do Sul, Brazil - 29.55° S
/ 51.11° W / GMT-2h / 15m .

"People told me I can't dress like a fairy.
I say, I'm in a rock band and I can do what the hell I want!"
-- Amy Lee

(My e-mail address isn't read. Please reply to the group!)
 
M

Maxx Pollare

The voice of "EA" drifted in on the cyber-winds,
from the sea of virtual chaos...
The rule should match the "&" character, if it occurs anywhere
between "<a href" and the closing ">" of the link....

After I posted the filter, I did some browsing and I got several
false positives. I'm not sure why. At any rate, the filter needs
more work....
Click to expand...


Try changing the Bounds to something like:

Bounds = "<a href=*/"

Or even shift the catch to the match:

Bounds = "<a\s*>"
Match = "*href=[^/]++\&*"

It should match any link with a "&" between the "href=" & the first "/".
 
J

jmatt

Another way , maybe .

Deepnet Explorer
http://www.deepnetexplorer.com/
Not only is Deepnet Explorer the world’s first browser with RSS news
reader and P2P client integration, it is also the first browser to
foil phishers! With its superior security, functionality and
usability, Deepnet Explorer can dramatically improve your web
experience.
Completely Free No Adware/Spyware No 3rd Party Software
* Posted via http://www.sixfiles.com/forum
 
S

schrodinger's cat

...I don't see why legit URLs
should have the "&" character but...
Click to expand...

Here's one legitimate use right off the top of my head: Many search
engines use the ampersand character for conditional statements in
order to narrow a search.

For example here is the URL for the advanced Google search which I use
as the default when searching from the address bar in Firefox:

"http://www.google.com/advanced_search?q=&num=20&hl=en&lr=lang_en&safe=off"
 
E

EA

The voice of "EA" drifted in on the cyber-winds,
from the sea of virtual chaos...
The rule should match the "&" character, if it occurs anywhere
between "<a href" and the closing ">" of the link....

After I posted the filter, I did some browsing and I got several
false positives. I'm not sure why. At any rate, the filter
needs more work....
Click to expand...


Try changing the Bounds to something like:

Bounds = "<a href=*/"

Or even shift the catch to the match:

Bounds = "<a\s*>"
Match = "*href=[^/]++\&*"

It should match any link with a "&" between the "href=" & the
first "/".
Click to expand...

Thanks!

E.
 
E

EA

Here's one legitimate use right off the top of my head: Many
search engines use the ampersand character for conditional
statements in order to narrow a search.

For example here is the URL for the advanced Google search which I
use as the default when searching from the address bar in Firefox:

"http://www.google.com/advanced_search?q=&num=20&hl=en&lr=lang_en&s
afe=off"
Click to expand...

Someone else suggested to limit the bounds up to the first "/" so
that it will only match the top portion of the URL (www.google.com in
your example). That should solve this problem and it will still
match problem links. However, the rules in that suggestion need to
be edited so that they do not match the "//" in "http://" but only
the first "/" in the actual address.

E.
 
E

EA

The voice of "EA" drifted in on the cyber-winds,
from the sea of virtual chaos...
The rule should match the "&" character, if it occurs anywhere
between "<a href" and the closing ">" of the link....

After I posted the filter, I did some browsing and I got several
false positives. I'm not sure why. At any rate, the filter
needs more work....
Click to expand...


Try changing the Bounds to something like:

Bounds = "<a href=*/"

Or even shift the catch to the match:

Bounds = "<a\s*>"
Match = "*href=[^/]++\&*"

It should match any link with a "&" between the "href=" & the
first "/".
Click to expand...

One more thing:

the filter should not match the "http://" portion of the address.
Also, what if the link does not have the "http://" part (i.e.,
href="www.site.com")? How would you negate "http://" in the match
expression?

E.
 
I

Iain Cheyne

Zo said:
Just saw this fix posted in another newsgroup.

http://users.tns.net/~skingery/weblog/2005/02/permanent-fix-for-shmoo-g
roup-exploit.html
Click to expand...

There is a simpler and permanent fix using the (awesome) Adblock extension:

http://users.tns.net/~skingery/weblog/2005/02/workaround-for-idn-
spoofing-issue.html

" 1. Install the Adblock Firefox extension.
https://update.mozilla.org/extensions/moreinfo.php?
application=firefox&version=1.0&os=Windows&id=10

2. Look at the Adblock 'Preferences' and go to 'Adblock Options'

3. Tick 'Site Blocking'

4. Add the following filter :-
/[^\x20-\xFF]/

This will block any URL that uses characters outside the normal ASCII
range.


Don't miss step 3! I did the first time and the tip didn't work.

Once you have it in place, go to the test site (http://www.shmoo.com/idn/)
and the links simply don't go anywhere."
 
S

schrodinger's cat

There is a simpler and permanent fix using the (awesome) Adblock extension:

http://users.tns.net/~skingery/weblog/2005/02/workaround-for-idn-
spoofing-issue.html

" 1. Install the Adblock Firefox extension.
https://update.mozilla.org/extensions/moreinfo.php?
application=firefox&version=1.0&os=Windows&id=10

2. Look at the Adblock 'Preferences' and go to 'Adblock Options'

3. Tick 'Site Blocking'

4. Add the following filter :-
/[^\x20-\xFF]/

This will block any URL that uses characters outside the normal ASCII
range.
Click to expand...

This is great Ian, since I already have Adblock (wouldn't use Firefox
without it). A question on step 4 though. Is the dash after the colon
part of the filter or just an extraneous character? If the dash is not
included you might want to consider removing it from the instructions
on your site, since a colon essentially means "from this point on".
Thanks, good job.
 
Z

Zo

Iain said:
There is a simpler and permanent fix using the (awesome) Adblock extension:

http://users.tns.net/~skingery/weblog/2005/02/workaround-for-idn-
spoofing-issue.html

" 1. Install the Adblock Firefox extension.
https://update.mozilla.org/extensions/moreinfo.php?
application=firefox&version=1.0&os=Windows&id=10

http://www.shmoo.com/idn/ --
Iain
Please check www.pricelesswarehome.org, the FAQ and Google Groups before
posting in alt.comp.freeware.
Click to expand...

Thanks for the tip, it seems that more fixes are being developed/found daily
:)

Zo
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Can you use AM-Deadlink in Firefox? 14
[Update]Site Update: todo list review 3
[update]site new look 3
Update on the non-IE browser URL spoofing vulnerability 3
Firefox question 6
Does anyone know a good RSS reader? 12
Command line wallpaper changer?? 11
Screensaver clock 2

Top