MozillaZine

Mozilla Partially Vulnerable to Internet Explorer URL Spoofing Security Flaw

Thursday December 11th, 2003

koody wrote in to tell us that Mozilla is partially vulnerable to the recently announced URL spoofing security hole in Internet Explorer. The latest IE flaw allows an attacker to disguise the true domain of a URL in the browser's Address Bar, allowing a page located at evilscam.net to appear to be from microsoft.com. This exploit can be used to increase the effectiveness of the so-called 'phishing' scams that have recently been used to target customers of PayPal, eBay and several online banks.

The Address Bar URL spoofing flaw was originally reported by Sam "Zap The Dingbat" Greenhalgh, who provided details of the exploit and a demonstration. Security company Secunia issued an advisory about the vulnerability, with an update from Chris Hall reporting that the URL shown in the Status Bar while mousing over a link to a spoofed page is also affected. While Mozilla-based browsers such as the Mozilla Application Suite and Mozilla Firebird are immune to the more serious Address Bar spoofing, they appear to be vulnerable to the Status Bar variant.

The Secunia Internet Explorer Address Bar Spoofing Test page demonstrates both the full flaw in IE and the Status Bar aspect of it that affects Mozilla. The relevant Bugzilla report is bug 228176, which was filed today and already has a preliminary patch attached (please do not add unnecessary comments to the bug; the developers are already aware of its seriousness). Mozilla users are advised to not rely on the URL displayed in the Status Bar and to check the complete address of the destination page in the Location Bar upon arrival.


#25 More vulnerabilitys

by vbAlex <vbAlexDOSMan@Yahoo.com>

Friday December 12th, 2003 9:22 AM

You are replying to this message

I will be refererring to this: <//www.microsoft.com/%00@secunia.com>/internet_explorer_address_bar_spoofing_test/" rel="nofollow"><http://vbalex.dyndns.org:…ddress_bar_spoofing_test/>

This is my home server, so please don't DDoS me. Maybe somebody with a real server could mirror this before I'm completly disabled. IM me at MSN/Y!/AIM: vbAlexDOSMan, Jabber: <IReadYourEmail@jabber.org>/Home, ICQ: 271781078 for the code.

At that URL, notice that it, for one, shows <http://microsoft.com/> in the title bar, whereas when you check the source, it's actually the malicious URL. Also, try going into the source view and copying the URL and pasteing it somewhere... It cuts off the malicious part of the URL (not to mention the rest of the line.) Maybe this has something to do with C/C++'s null terminated strings?

My friend also says that Opera is vulnerable to the title bar vulnerablility too.

I've noticed the title bar vulnerability is non-existant when the 0 character isn't inlined in the code... e.g. %00 doesn't throw it off, but because I'm using PHP to demo this, the %00 is unescaped into the raw 0 character before my code can even touch it.