MozillaZine

Fix for URL Spoofing Security Vulnerability Checked in to Mozilla Trunk and 1.6 Branch

Wednesday January 7th, 2004

The latest nightly builds of Mozilla feature a fix for the URL spoofing security vulnerability discovered in several browsers last month. A patch was checked in to the trunk and 1.6 branch yesterday, meaning that both the forthcoming Mozilla 1.6 and Mozilla Firebird 0.8 will be immune to the flaw.

In vulnerable versions of Mozilla, the address displayed in the Status Bar while hovering over a link is truncated if the characters %00 are present in the URL of the destination page. An attacker could exploit this to make a link that goes to http://www.microsoft.com%01%00@evilscam.net (real location evilscam.net) but appears in the Status Bar as simply http://www.microsoft.com. By fooling a user into believing that he or she is visiting a trusted site, an attacker could trick him or her into revealing sensitive information such as credit card details.

The flaw was originally detected in Microsoft Internet Explorer before also being spotted in Mozilla. The IE variant is more serious, however, as it affects not only the URL displayed in the Status Bar but also the URL shown Address Bar after following a spoofed link. At the time of writing, Microsoft has acknowledged the problem but not yet issued a patch.

Full technical details of the fix are in bug 228176. The Secunia Internet Explorer Address Bar Spoofing Test page allows browser users to check whether their software is vulnerable.

Update: The patch has now also been checked in to the 1.4 branch and will be included in the forthcoming Mozilla 1.4.2.


#1 Not yet in Firebird 0.8

by mlefevre

Wednesday January 7th, 2004 2:45 PM

Reply to this message

I would imagine that Firebird 0.8 will indeed get the fix, but it's not there yet. Firebird 0.8 is on its own branch, so the fact that this is checked into trunk and the 1.6 branch does not mean that the fix is in Firebird 0.8.

And it's all very well knocking Microsoft not having a patch yet, but the average user with Mozilla 1.5 doesn't have a patch they can use yet either (unless they have the knowledge to compile their own build or are prepared to upgrade to a nightly build).

#2 Re: Not yet in Firebird 0.8

by AlexBishop <alex@mozillazine.org>

Wednesday January 7th, 2004 3:03 PM

Reply to this message

"I would imagine that Firebird 0.8 will indeed get the fix, but it's not there yet."

The first patch attached to bug 228176 was checked into the FIREBIRD_08_BRANCH by Ben Goodger on Saturday 18th December 2003 at 5:51pm Pacific Standard Time.

"And it's all very well knocking Microsoft not having a patch yet, but the average user with Mozilla 1.5 doesn't have a patch they can use yet either"

That's why the article says it will be in 1.6.

Alex

#6 Re: Re: Not yet in Firebird 0.8

by mlefevre

Wednesday January 7th, 2004 6:22 PM

Reply to this message

So it has. Sorry - my mistake. So long ago I'd forgotten it, and when I double checked, I didn't go back that far.

#3 I smell a fallacy

by mawrya

Wednesday January 7th, 2004 3:28 PM

Reply to this message

"And it's all very well knocking Microsoft not having a patch yet, but the average user with Mozilla 1.5 doesn't have a patch they can use yet either"

...the following quote isn't 'knocking' microsoft: "At the time of writing, Microsoft has acknowledged the problem but not yet issued a patch". I'm betting the author is just letting us know the status of things in the Microsoft camp for those of us who use IE and Mozilla.

keep up the good reporting MozillaZine!

mawrya

#5 Re: I smell a fallacy

by AlexBishop <alex@mozillazine.org>

Wednesday January 7th, 2004 3:39 PM

Reply to this message

"I'm betting the author is just letting us know the status of things in the Microsoft camp for those of us who use IE and Mozilla."

Actually, it was mostly to round out the paragraph but close enough.

We could have lots of fun by reporting on every IE security flaw (people submit them) but we'd lose credibility very quickly. Advocacy is all about telling people to use Mozilla because it is good, not because the competition is bad.

Alex

#4 1.4 branch

by jgraham

Wednesday January 7th, 2004 3:35 PM

Reply to this message

The patch has approval for the 1.4 branch so it should land there soon.

#7 Always not secure

by messenjer

Thursday January 8th, 2004 1:31 AM

Reply to this message

When we go on this type of url <http://www.microsoft.com><%01%00@secunia.com>/internet_explorer_address_bar_spoofing_test/

For a newbie or a tired guy, the url is <http://www.microsoft.com>, we cannot pay attention on the next character following .com. (How many site have url too long)

A more secure way will be to delete the user (xxx@) from the url in the address bar and display in other place that we have connect with a username.

#8 Any idiot can do that

by watchman

Thursday January 8th, 2004 1:36 AM

Reply to this message

> An attacker could exploit this to make a link that goes to > <http://www.microsoft.com><%01%00@evilscam.net> (real location evilscam.net) but appears > in the Status Bar as simply <http://www.microsoft.com.>

Any idiot can do that in Javascript, even if you fix the bug.

Yes, I know 4 or 5 people use Mozilla with Javascript disabled. So finally ... is this bug so important to be called "URL Spoofing Security Vulnerability"? To appear as important news?

#10 Re: Any idiot can do that

by rajbhaskar

Thursday January 8th, 2004 2:39 AM

Reply to this message

Mozilla explicitly allows you to stop Javascript changing the status bar: prefs -> advanced -> scripts & plugins -> allow scripts to -> change status bar text

Okay, so it's not set by default, but it's there as a visible pref.

#11 Re: Any idiot can do that

by jgraham

Thursday January 8th, 2004 2:53 AM

Reply to this message

4 or 5 people? In the browser maybe. In HTML mail, *everyone* has javascript disabled. A scam exploiting this behaviour is *far* more likely to start life as a email saying "Log into your ebay account or have it deleted: <http://ebay.com>&amp;keepaccount%00;evilsite.com " than it is to begin on some random webpage. You might also be interested to know that Mozilla has an option that prevents javascript from changing text in the status bar, precisely to prevent this type of javascript based spoofing.

As for the other person who said that the username should not be displayed in the status bar, there are lots of bugs open with better solutions to this problem. Personally, I favour something like:

site : evilsite.com username: microsoft.com password:

appearing in the status bar, since that makes it very obvious what is going on, and even helps prevent javascript spoofing (different text would be needed for Mozilla and IE in order to spoof the status bar effectivley. People running a scam would probably go for the 95% of people running IE rather than bothering to write complex browser detection scripts).

#13 Re: Re: Any idiot can do that

by marcoos

Thursday January 8th, 2004 8:32 AM

Reply to this message

Just add this to your Firebird (and Thunderbird, too) userContent.css:

:link[href*="%00@"]:after, :visited[href*="%00@"]:after,:link[href*="%01@"]:after, :visited[href*="%01@"]:after { cursor: help; content: "(warning! a spoofed link!)"; background: red; color: white;

}

T

#14 Re: Re: Re: Any idiot can do that

by marcoos

Thursday January 8th, 2004 8:33 AM

Reply to this message

Without the "T", of course...

...to have a nice red warning text added to every spoofed link. ;)

#15 Re: Re: Re: Any idiot can do that

by jgraham

Thursday January 8th, 2004 2:09 PM

Reply to this message

Well that helps with this particular problem, but doesn't help with the fact that most people will assume <http://www.mozilla.org><&foobar&baz@microsoft.com> will load mozilla.org whereas in fact it will load microsoft.com.

#9 Any idiot can do that

by watchman

Thursday January 8th, 2004 2:38 AM

Reply to this message

> An attacker could exploit this to make a link that goes to > <http://www.microsoft.com><%01%00@evilscam.net> (real location evilscam.net) but appears > in the Status Bar as simply <http://www.microsoft.com.>

Any idiot can do that in Javascript, even if you fix the bug.

Yes, I know 4 or 5 people use Mozilla with Javascript disabled. So finally ... is this bug so important to be called "URL Spoofing Security Vulnerability"? To appear as important news?

#12 Eh, what if there's no statusbar?

by bugs4hj <bugs4hj@netscape.net>

Thursday January 8th, 2004 4:25 AM

Reply to this message

I would simply open a new window, without a statusbar, and scam on :-)

#16 Re: Eh, what if there's no statusbar?

by RMo

Thursday January 8th, 2004 2:23 PM

Reply to this message

What do you mean? The address bar and everything else are OK; the status bar was the only thing affected, and it's now patched. Are you confusing this with this respective flaw in IE?

#17 save browser

by yamal

Thursday January 8th, 2004 7:06 PM

Reply to this message

How about a browser that reads everything in the adressbar just like a string. No more coding in the adressbar so you dont have the situetion that with just one piece of js-code (ie/mozilla) or one piece asm-code (opera) you can totaly spoof things.

#18 Re: save browser

by tobypowell

Saturday January 10th, 2004 2:16 AM

Reply to this message

the problem is not a bit of code in the address bar but the address itself

the @ symbol is used to attach a username and password to a URL, such as for FTP or some weird web authentication I've not seen for a long time.

this means that if the web address it <http://www.microsoft.com/…st@http://mydodgysite.com>

your average user will see that as going to a microsoft website, rather than the actual website which would be mydodgysite.com

There's no javascript in that whatsoever.

The second part of the bug is that the part after the @ can be hidden from the status bar (and the address bar in IE) by using a null character of %00 ( I think that 's the one.. real answer above)