Date: Tue, 6 Feb 2007 14:05:19 +0100 (CET)
From: Kanedaaa Bohater <kaneda@...ater.net>
To: bugtraq@...urityfocus.com
Subject: Firefox 2.0.0.1 and Opera 9.10 Anty Fraud/Phishing Protection bypass.


Firefox 2.0.0.1 and Opera 9.10 Anty Fraud/Phishing Protection bypass.

+ Subject:
Firefox 2.0.0.1 Phishing Protection bypass
Opera 9.10 Fraud Protection bypass

+ Version:
Firefox 2.0.0.1 [ Linux | Windows ]
Opera 9.10 Final [ Linux build 521 | Windows build 8679 ]

+ Discovered by:
Kanedaaa: http://kaneda.bohater.net

+ Impact:
Low

+ Firefox Phishing Protection Description: 
Phishing Protection takes Firefoxs security to a new level, helping to safeguard your 
financial information and protect you from identity theft. When you encounter a Web site 
that is a suspected forgery (known as a phishing site) Firefox will warn you and offer to 
take you to a search page so you can find the real Web site you were looking for.

+ Opera Fraud Protection Description: 
Oslo, Norway - December 18, 2006 Opera Software today introduced real-time Fraud Protection 
in its award-winning Web browser. Fraud Protection includes technology from GeoTrust, the 
leading digital certificate provider, and PhishTank, a collaborative clearing house for 
data and information about phishing on the Internet. Fraud Protection is available in Opera 
9.1, the newest version of Opera's Web browser. Opera is available completely free at 
www.opera.com.

+ Bypass Description
It is possible to bypass Fraud Protection by add some characters to URL address. URL will 
be still valid and will work properly but we are not aware of Phishing warning.

At 2006.11 when version 9.10 was developed and Fraud Protection was tested I found that 
when we add "." char at the end of domain in URL field - DNS systems still resolve this 
address, Host: directive in HTTP GET will not break WWW server answer BUT for Fraud 
Protection it will be another site than original and Fraud Test will fail. For example: 
http://kaneda.bohater.net. != http://kaneda.bohater.net

After post to http://bugs.opera.com and on devel Opera forum, they made fix. [great!] In 
Opera 9.10 this bug dosn't work of course.

But today when I`m running Final 9.10 version I have found that when I added "/" character 
at the end of domain in URL it failed Phishing test again !!!

Example: When my URL is on Phishing List: http://kaneda.bohater.net/phish.html - warning 
will be displayed

http://kaneda.bohater.net//phish.html - warning will NOT be displayed

Of course we can add more "/".

FireFox is vulnerable in that same way.

Like live shows [Firefox HexEncoding Anti-Phishing bypass URL: 
http://sla.ckers.org/forum/read.php?13,2253 ] Phishers can use this technique in near 
future to abusive actions.

+ Opera Timeline: 
2006.12.20 bug discovered 
2006.12.21 "/" bug sended to http://bugs.opera.com 
2007.01.19 no response and patch from vendor - probably will be fixed in future
2007.02.06 posted to Bugtraq

+ Firefox Timeline: 
2007.01.09 bug discovered 
2007.01.19 "/" bug sended to http://bugzilla.mozilla.org [Bug 367538] 
2007.01.19 answer from Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=367538 
2007.02.06 posted to Bugtraq

Original Advisory: 
http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phishing_protection.php
http://kaneda.bohater.net/security/20061220-opera_9.10_final_bypass_fraud_protection.php

-- 
[][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]..
[+] You can take our lives,but you will never take our Freedom - W.Wallace
[+] Peace on earth depends on the peace in the peoples hearts - Dalai Lama
[+] Revolution the only solution - System of a down...
[+] Dalej idac dalej dojdziesz dalej siedzac dalej siedzisz - etoe aka ok0
[-] Kanedaaa... Bohateur... Cucumber Team Member...     kaneda@...ater.net

Powered by blists - more mailing lists