yes_sir
@net.mx
|  Firefox 2.0.0.12 SSL Spoofing and Domain Guessing flaws!
Firefox seems to have trouble with defining the proper hostname when
requesting a ssl connection. I was able to trick Firefox in thinking
the hostname behind the at-sign is legit and the same as the URI that
requested an ssl connection, and this without a warning.
PoC:
You can add as much garbage between .com and the @ sign.
So what else can we do?
PoC:
ah heck we don't need that at all:
works fine also :) |
|
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland | Dude, the version is still 2.0.0.11. |
|
WeenieBoy
join:2003-06-25
Pasadena, MD | reply to yes_sir
Besides the wrong version with this "problem" What are you saying ? When I did it I got the certificate from the rogue host so how the heck is that wrong ? What does "legit" mean ?
I am confused about your post |
|
Epyon9283
Premium
join:2001-12-26
Dayton, NJ | reply to yes_sir
What the heck are you talking about?
What comes after the @ is the host name that firefox is going to connect to. If that host has a valid, trusted SSL cert you're not going to see a warning message. What are you spoofing? |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
 ·Verizon Online DSL
| reply to yes_sir
So are you testing the beta in hopes of informing Mozilla Foundation that they need to work on the beta?
The beta is 2.0.0.12pre.
The release is 2.0.0.11
--
"We must look for consistency. Where there is a want of it we must suspect deception." - Sherlock Holmes |
|
pepperxn
join:2001-02-21
| reply to yes_sir
2 flaws here.
»www.0x000000.com/?i=509
and
»www.0x000000.com/index.php?i=511
»https://bugzilla.mozilla.org/show_bug.cgi?id=415034
Haven't found the bug # for the first one yet. 2nd one has a patch, and will be fixed in 1.8.1.13 (Firefox 2.0.0.13). |
|
La Luna
Surviving Ashraful
Premium
join:2001-07-12
Warwick, NY
clubs:
 ·Optimum Online
 ·Vonage
| reply to jansson_mark
said by jansson_mark  :Dude, the version is still 2.0.0.11. »Firefox 2.0.12 VS IE7
»wiki.mozilla.org/Releases/Firefox_2.0.0.12
»ftp.eu.mozilla.org/pub/mozilla.o···?C=M;O=D
--
10,504 DEADLY TERROR ATTACKS SINCE 9/11~~TEAM DISCOVERY
Can't feel you anymore, don't need you anymore, don't believe you anymore, I don't need you anymore
|
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| Soon. Should be any day assuming no release blockers.
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
chachazz
Premium
join:2003-12-14
| Name: Firefox 2.0.0.12
Scheduled Release Date : February 7
Release Schedule
--
Gladiator Security Forum: www.gladiator-antivirus.com/
|
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| said by chachazz :Name: Firefox 2.0.0.12 Scheduled Release Date : February 7 Release Schedule Ooh. Hmmph, no suite product SeaMonkey? 
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
pepperxn
join:2001-02-21
| said by antdude :said by chachazz :Name: Firefox 2.0.0.12 Scheduled Release Date : February 7 Release Schedule Ooh. Hmmph, no suite product SeaMonkey? SeaMonkey 1.1.8 is coming soon.
»home.kairo.at/blog/2008-02/weekl···w05_2008
Notice this sentence: "I created and uploaded (two sets of) candidate builds for SeaMonkey 1.1.8 this week, which is our upcoming security release for the stable 1.1.x series. We target a release nearly in sync with Firefox 2.0.0.12 this Thursday or Friday." |
|
