lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <5F9D803B30A8E4418166E637D50E9E2A13A0AC@miraculix.scip.ch>
Date: Tue, 9 Aug 2005 15:22:58 +0200
From: "Marc Ruef" <maru@...p.ch>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>,
	<news@...uriteam.com>, <submissions@...ketstormsecurity.org>,
	<partners@...unia.com>, <red@...sec.de>
Subject: Mozilla Firefox up to 1.0.6 and Mozilla
	Thunderbird up to 1.0 url string obfuscation


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear lists,

During a web application audit for a customer I detected a design error in the applications of the Mozilla suite. I was testing very long URL requests what I am usually do with a terminal emulation (e.g. Telnet or NetCat) or tools as like Mini-Browser. After I have found a suspicous computation of my input at server side I tried to validate this one with my web browser. Since the 0.9 release my default browser is Mozilla Firefox, currently running in the up-to-date version 1.0.6.

After I have entered the _very_ long URL (approx. 5.474 chars) in the address bar of the browser the whole line went blank. I was not able to see my input - It looked like deleted, empty. But I was sure the input chars where there because I was able to scroll the blinking cursor thru the line. A partial or fully selection of the URL made it visible again. It seems that the text color switched to white so it is not possible to see it on the white background color of the address bar combobox. I used something like "http://www.scip.ch/?aaa[lot_more_a's]aaa" as input string. It is not needed to press enter to see the effect. Just put such a long line into the specified field.

Then I tried to send an example URL to my private mail account to test this behavior at my home installation. My whole personal mail traffic is handled by Mozilla Thunderbird 1.0 so it was not really a surprise the same problem where given there too. The enormous long line of input of the mail body switched also to the same effect.

My testing at home, also a Microsoft Windows XP with the latest service pack and patches, has confirmed the bug. But the length of the long lines where different. I have had to put 65.535 chars in a line to get the same effect. Other Mozilla applications and every input field has not been tested. Also a testing with such long lines in HTML documents (e.g. as a link) were not positive. Is anybody able to confirm the problem in their environment too?

The security threat of this may be given indirectly. An attacker may be able to use this vulnerability to obfuscate the real target of a link or the current address bar entry of a web site. This may be lead to realize technically supported social engineering attacks (e.g. phishing). Users should always check the location of a ressource twice if it seems not requested or suspicous in any way. And the Mozilla team should check their solutions to provide a small bugfix for this problem.

A german version of this posting can be found at http://www.computec.ch/mruef/ and the entry in the german vulnerabiliy by scip AG is at http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1682

Regards,

Marc Ruef

- -- 
) scip AG (
Technoparkstr. 1
8005 Zürich
T +41 1 445 18 18 
F +41 1 445 18 19

maru@...p.ch
www.scip.ch

- - Aktuellste IT-Sicherheitsluecken -

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://www.scip.ch

iQA/AwUBQviuMRe5hzJzqVMhEQK5GQCg4XqBtH5zBG3Bbcp0AlstrlCnaGkAoIHi
COKFYbxYuY9WvAnviqJRVyoM
=x9MD
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ