lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <649944.3191202167107189.JavaMail.juha-matti.laurio@netti.fi> Date: Tue, 5 Feb 2008 01:18:26 +0200 (EET) From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi> To: carl hardwick <hardwick.carl@...il.com>, full-disclosure@...ts.grok.org.uk Subject: Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing vulnerabilities The most recent Firefox 2.0.0.12 version is RC4 still: http://www.mozilla.com/en-US/firefox/2.0.0.12/releasenotes/ You can't download Firefox 2.0.12 Final yet. Juha-Matti carl hardwick <hardwick.carl@...il.com> wrote: > Firefox seems to have trouble with defining the proper hostname when > requesting a ssl connection. I was able to trick Firefox in thinking > the hostname behind the at-sign is legit and the same as the URI that > requested an ssl connection, and this without a warning. > > PoC: https://www.gmail.com%C0%AF%C0%AF%C0%C0%80@...uehost.com > > You can add as much garbage between .com and the @ sign. > > So what else can we do? > > PoC: > www.cnn.com%C0%AF%C0%AF%C0%C0%80@...gle > www.gmail.com%C0%AF%C0%AF%C0%C0%80@...mail > > ah heck we don't need that at all: > www.gmail.comxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@...mail > > works fine also :) > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists