| Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws!Firefox seems to have trouble with defining the proper hostname when
requesting a ssl connection. I was able to trick Firefox in thinking
the hostname behind the at-sign is legit and the same as the URI that
requested an ssl connection, and this without a warning.
PoC:
https://www.gmail.com%C0%AF%C0%AF%C0%C0%80@roguehost.com
You can add as much garbage between .com and the @ sign.
So what else can we do?
PoC:
www.cnn.com%C0%AF%C0%AF%C0%C0%80@google
www.gmail.com%C0%AF%C0%AF%C0%C0%80@hotmail
ah heck we don't need that at all:
www.gmail.comxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@hotmail
works fine also :) |
|
| Dude, the version is still 2.0.0.11. |
|
|
|
| reply to yes_sir
Besides the wrong version with this "problem" What are you saying ? When I did it I got the certificate from the rogue host so how the heck is that wrong ? What does "legit" mean ?
I am confused about your post |
|
| reply to yes_sir
What the heck are you talking about?
What comes after the @ is the host name that firefox is going to connect to. If that host has a valid, trusted SSL cert you're not going to see a warning message. What are you spoofing? |
|
 Grail KnightQui audet adipisciturPremium
join:2003-05-31
Valhalla
kudos:6
 ·Time Warner Cable
| reply to yes_sir
So are you testing the beta in hopes of informing Mozilla Foundation that they need to work on the beta?
The beta is 2.0.0.12pre.
The release is 2.0.0.11
--
"We must look for consistency. Where there is a want of it we must suspect deception." - Sherlock Holmes |
|
| reply to yes_sir
2 flaws here.
»www.0x000000.com/?i=509
and
»www.0x000000.com/index.php?i=511
»bugzilla.mozilla.org/show_bug.cgi?id=415034
Haven't found the bug # for the first one yet. 2nd one has a patch, and will be fixed in 1.8.1.13 (Firefox 2.0.0.13). |
|
 La LunaSurvived AshrafulPremium
join:2001-07-12
Warwick, NY
kudos:3
 ·Vonage
·Optimum Online
| reply to jansson_mark
»Firefox 2.0.12 VS IE7
»wiki.mozilla.org/Releases/Firefox_2.0.0.12
»ftp.eu.mozilla.org/pub/mozilla.o···?C=M;O=D
--
10,504 DEADLY TERROR ATTACKS SINCE 9/11~~TEAM DISCOVERY
Can't feel you anymore, don't need you anymore, don't believe you anymore, I don't need you anymore
|
|
 antdudeA Ninja AntPremium,VIP
join:2001-03-25
kudos:2
·RoadRunner Cable
| Soon. Should be any day assuming no release blockers.
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
Reviews:
 ·TELUS
| Name: Firefox 2.0.0.12
Scheduled Release Date : February 7
Release Schedule
--
Gladiator Security Forum: www.gladiator-antivirus.com/
|
|
antdudeA Ninja AntPremium,VIP
join:2001-03-25
kudos:2 Reviews:
·RoadRunner Cable
| Ooh. Hmmph, no suite product SeaMonkey? 
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
| said by antdude:Ooh. Hmmph, no suite product SeaMonkey? SeaMonkey 1.1.8 is coming soon.
»home.kairo.at/blog/2008-02/weekl···w05_2008
Notice this sentence: "I created and uploaded (two sets of) candidate builds for SeaMonkey 1.1.8 this week, which is our upcoming security release for the stable 1.1.x series. We target a release nearly in sync with Firefox 2.0.0.12 this Thursday or Friday." |
|
