lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 30 Jul 2004 20:16:12 -0700 From: Stephen Samuel <samuel@...reen.com> To: "E.Kellinis" <me@...her.org.uk> Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com Subject: Re: Mozilla Firefox Certificate Spoofing Has this been posted to bugilla???? E.Kellinis wrote: > ######################################### > Application: Mozilla Firefox > Vendors: http://www.mozilla.com > Version: 0.9.1 / 0.9.2 > Platforms: Windows > Bug: Certificate Spoofing (Phishing) > Risk: High > Exploitation: Remote with browser > Date: 25 July 2004 > Author: Emmanouel Kellinis > e-mail: me@...her(dot)org(dot)uk > web: http://www.cipher.org.uk > List : BugTraq(SecurityFocus)/ Full-Disclosure > ######################################### > > > ======= > Product > ======= > A popular Web browser,good alternative of IE and > "The web browser" for linux machines, > used to view pages on the World Wide Web. > > === > Bug > === > > Firefox has caching problem, as a result of that someone can > spoof a certificate of any website and use it as his/her own. > The problem is exploited using onunload inside < body> and > redirection using Http-equiv Refresh metatag,document.write() > and document.close() > > First you direct the redirection metatag to the website > of which you want to spoof the certificate, then inside > the < body> tag you add onulnoad script so you can control > the output inside the webpage with the spoofed certificate. > > After that you say to firefox, as soon as you unload this page > close the stream, aparently the stream you close is > the redirection website, you do that with > document.close(). > > Now you can write anything you want , you do that > using document.write(). After writing the content of you choice > you close the stream again , usually firefox wont display your content, > although if you check the source code you see it , so the last thing > is to refresh the new page (do that using window.location.reload()), > after that you have your domain name in the url field , your content > in the browser and the magic yellow Lock on the bottom left corner, > if you pass your mouse over it you will see displayed the name of > the website you spoofed the certificate, if you double click on it you > will check full information of the certificate without any warning ! > > You dont need to have SSL in your website ! it will work with > http. > > Additional using this bug malicious websites can bypass content > filtering using SSL properties. > > > ===================== > Proof Of Concept Code > ===================== > > < HTML> > < HEAD> > < TITLE>Spoofer< /TITLE> > < META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com"> > < /HEAD> > < BODY > onunload=" > document.close(); > document.writeln('< body onload=document.close();break;> > < h3>It is Great to Use example's Cert!'); > > document.close(); > window.location.reload(); > "> > < /body> > > > ========================================================= > *PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt > ========================================================= -- Stephen Samuel +1(604)876-0426 samuel@...reen.com http://www.bcgreen.com/~samuel/ Powerful committed communication. Transformation touching the jewel within each person and bringing it to light. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists