[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4680268F.9060502@swiecki.net>
Date: Mon, 25 Jun 2007 22:33:19 +0200
From: Robert Swiecki <jagger@...ecki.net>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk
Subject: Re: Apple Safari: idn urlbar spoofing
With a specially crafted web page, an attacker can redirect
a www browser to the page, which URL (on the address bar) resembles an
arbitrary domain choosen by the attacker.
It is possible due to the fact, that apple safari supports
IDNs - http://en.wikipedia.org/wiki/Internationalized_domain_name -
and some of the UTF8 font glyphs embedded in the safari, could be used
to create an URL which contains whitespaces.
http://alt.swiecki.net/saft1.html
The picture taken on my system:
http://alt.swiecki.net/idn.png
Tested with Apple Safari 3.0.2 (522.13.1) on MS Windows 2003 SE SP2
--
Robert Swiecki
http://www.swiecki.net
Powered by blists - more mailing lists