| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <47A7E127.1020309@gmail.com> Date: Mon, 04 Feb 2008 20:08:07 -0800 From: Rob Thompson <my.security.lists@...il.com> To: Juha-Matti Laurio <juha-matti.laurio@...ti.fi> Cc: full-disclosure@...ts.grok.org.uk, carl hardwick <hardwick.carl@...il.com> Subject: Re: Firefox 2.0.0.12 SSL Spoofing and Domain Guessing vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Juha-Matti Laurio wrote: | The most recent Firefox 2.0.0.12 version is RC4 still: | http://www.mozilla.com/en-US/firefox/2.0.0.12/releasenotes/ | | You can't download Firefox 2.0.12 Final yet. So if that's the case, did the author of this thread report this to the FF team? /me doesn't see the point of sending this type of e-mail out to a list. ~ Since this is a Release Candidate - not even released. Just report it to the authors and let them fix it for the final. Thanks Juha-Matti Laurio, for the clarification. | | Juha-Matti | | carl hardwick <hardwick.carl@...il.com> wrote: |> Firefox seems to have trouble with defining the proper hostname when |> requesting a ssl connection. I was able to trick Firefox in thinking |> the hostname behind the at-sign is legit and the same as the URI that |> requested an ssl connection, and this without a warning. |> |> PoC: https://www.gmail.com%C0%AF%C0%AF%C0%C0%80@...uehost.com |> |> You can add as much garbage between .com and the @ sign. |> |> So what else can we do? |> |> PoC: |> www.cnn.com%C0%AF%C0%AF%C0%C0%80@...gle |> www.gmail.com%C0%AF%C0%AF%C0%C0%80@...mail |> |> ah heck we don't need that at all: |> www.gmail.comxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@...mail |> |> works fine also :) |> | | _______________________________________________ | Full-Disclosure - We believe in it. | Charter: http://lists.grok.org.uk/full-disclosure-charter.html | Hosted and sponsored by Secunia - http://secunia.com/ | - -- Rob +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ | _ | | ASCII ribbon campaign ( ) | | - against HTML email X | | / \ | | | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) iEYEARECAAYFAken4SYACgkQcfN68iZZIcfP1gCcChRWeu4nH+cbSJJ69I4AH7eI DYkAoKRkc6PE6WEqdFIN53kMYYPOhu+H =ZMTM -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists