| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 04 Feb 2008 23:18:15 -0500 From: "Joey Mengele" <joey.mengele@...hmail.com> To: <smenard@...et.nb.ca>, <full-disclosure@...ts.grok.org.uk>, <larry@...ryseltzer.com> Cc: hardwick.carl@...il.com Subject: Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing vulnerabilities Confirmed on emacs on freebsd running on an alpha. J On Mon, 04 Feb 2008 18:49:59 -0500 Larry Seltzer <Larry@...ryseltzer.com> wrote: >I get this same warning on FF 3.0 beta 2 on Vista. > >Larry Seltzer >eWEEK.com Security Center Editor >http://security.eweek.com/ >http://blogs.pcmag.com/securitywatch/ >Contributing Editor, PC Magazine >larry.seltzer@...fdavisenterprise.com > > >-----Original Message----- >From: full-disclosure-bounces@...ts.grok.org.uk >[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of >steve >menard >Sent: Monday, February 04, 2008 3:36 PM >To: full-disclosure@...ts.grok.org.uk >Cc: carl hardwick >Subject: Re: [Full-disclosure] Firefox 2.0.0.12 SSL Spoofing and >Domain >Guessing vulnerabilities > >I get a warning on 2.0.0.11 Linux Ubuntu > >You are about to log into the site "google" with the username >"www%2Ecnn@...om%c0%AF%C0%AF%C0%C0%80", but the website does not >require >authentication. this may be an attempt to trick you Is "google" >the site >you want to visit.? > >is this a 2.0.0.12 issue? >Steve > >carl hardwick wrote: >> Firefox seems to have trouble with defining the proper hostname >when >> requesting a ssl connection. I was able to trick Firefox in >thinking >> the hostname behind the at-sign is legit and the same as the URI >that >> requested an ssl connection, and this without a warning. >> >> PoC: https://www.gmail.com%C0%AF%C0%AF%C0%C0%80@...uehost.com >> >> You can add as much garbage between .com and the @ sign. >> >> So what else can we do? >> >> PoC: >> www.cnn.com%C0%AF%C0%AF%C0%C0%80@...gle >> www.gmail.com%C0%AF%C0%AF%C0%C0%80@...mail >> >> ah heck we don't need that at all: >> >www.gmail.comxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@ >hot >> mail >> >> works fine also :) >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> >> > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html -- Click to shop and save on brand name copiers today. http://tagline.hushmail.com/fc/Ioyw6h4efL2XHRwVibUkjF3PhLMcf2jUicxXpiVPZLGbWnRIZ6Onn6/ >Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists