| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 04 Feb 2008 16:36:20 -0400 From: steve menard <smenard@...et.nb.ca> To: full-disclosure@...ts.grok.org.uk Cc: carl hardwick <hardwick.carl@...il.com> Subject: Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing vulnerabilities I get a warning on 2.0.0.11 Linux Ubuntu You are about to log into the site "google" with the username "www%2Ecnn@...om%c0%AF%C0%AF%C0%C0%80", but the website does not require authentication. this may be an attempt to trick you Is "google" the site you want to visit.? is this a 2.0.0.12 issue? Steve carl hardwick wrote: > Firefox seems to have trouble with defining the proper hostname when > requesting a ssl connection. I was able to trick Firefox in thinking > the hostname behind the at-sign is legit and the same as the URI that > requested an ssl connection, and this without a warning. > > PoC: https://www.gmail.com%C0%AF%C0%AF%C0%C0%80@...uehost.com > > You can add as much garbage between .com and the @ sign. > > So what else can we do? > > PoC: > www.cnn.com%C0%AF%C0%AF%C0%C0%80@...gle > www.gmail.com%C0%AF%C0%AF%C0%C0%80@...mail > > ah heck we don't need that at all: > www.gmail.comxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@...mail > > works fine also :) > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists