Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Firefox > Spoofing vulnerability?

Reply
Thread Tools

Spoofing vulnerability?

 
 
Carmen Gauvin-O'Donnell
Guest
Posts: n/a
 
      02-08-2005
Anyone know anything about the spoofind vulnerability in non-IE browsers
(described in the Tourbus e-mail this week?)

I take it Mozilla is dealing with it?

Carmen
 
Reply With Quote
 
 
 
 
mike555
Guest
Posts: n/a
 
      02-09-2005

Carmen Gauvin-O'Donnell wrote:
> Anyone know anything about the spoofind vulnerability in non-IE

browsers
> (described in the Tourbus e-mail this week?)
>
> I take it Mozilla is dealing with it?
>
> Carmen


==== there is a fix posted at... http://tinyurl.com/6gh8u ...=====

 
Reply With Quote
 
 
 
 
John Thompson
Guest
Posts: n/a
 
      02-10-2005
On 2005-02-09, mike555 <(E-Mail Removed)> wrote:

> Carmen Gauvin-O'Donnell wrote:
>> Anyone know anything about the spoofind vulnerability in non-IE

> browsers
>> (described in the Tourbus e-mail this week?)
>>
>> I take it Mozilla is dealing with it?
>>
>> Carmen

>
>==== there is a fix posted at... http://tinyurl.com/6gh8u ...=====


There's an easier way to fix it: type about:config in the URL bar, filter
on "IDN" and toggle the value for "network.enableIDN" to "false"

--

-John ((E-Mail Removed))
 
Reply With Quote
 
Leonidas Jones
Guest
Posts: n/a
 
      02-10-2005
John Thompson wrote:
> On 2005-02-09, mike555 <(E-Mail Removed)> wrote:
>
>
>>Carmen Gauvin-O'Donnell wrote:
>>
>>>Anyone know anything about the spoofind vulnerability in non-IE

>>
>>browsers
>>
>>>(described in the Tourbus e-mail this week?)
>>>
>>>I take it Mozilla is dealing with it?
>>>
>>>Carmen

>>
>>==== there is a fix posted at... http://tinyurl.com/6gh8u ...=====

>
>
> There's an easier way to fix it: type about:config in the URL bar, filter
> on "IDN" and toggle the value for "network.enableIDN" to "false"
>


This works if you are running Mozilla 1.8a6 or later, or a Firefox
nightly build from about mid January on.

With 1.8a5 or earlier, or the Firefox 1.0 release, most people,
including myself, find that while changing the pref in about:config, it
does not survive a restart of the program. The pref stays "false", but
the prowser still fails the test page at Secunia.

http://secunia.com/multiple_browsers_idn_spoofing_test/

Lee
 
Reply With Quote
 
Ed Mullen
Guest
Posts: n/a
 
      02-12-2005
Leonidas Jones wrote:

> John Thompson wrote:
>
>> On 2005-02-09, mike555 <(E-Mail Removed)> wrote:
>>
>>
>>> Carmen Gauvin-O'Donnell wrote:
>>>
>>>> Anyone know anything about the spoofind vulnerability in non-IE
>>>
>>>
>>> browsers
>>>
>>>> (described in the Tourbus e-mail this week?)
>>>>
>>>> I take it Mozilla is dealing with it?
>>>>
>>>> Carmen
>>>
>>>
>>> ==== there is a fix posted at... http://tinyurl.com/6gh8u ...=====

>>
>>
>>
>> There's an easier way to fix it: type about:config in the URL bar,
>> filter on "IDN" and toggle the value for "network.enableIDN" to "false"
>>

>
> This works if you are running Mozilla 1.8a6 or later, or a Firefox
> nightly build from about mid January on.
>
> With 1.8a5 or earlier, or the Firefox 1.0 release, most people,
> including myself, find that while changing the pref in about:config, it
> does not survive a restart of the program. The pref stays "false", but
> the prowser still fails the test page at Secunia.
>
> http://secunia.com/multiple_browsers_idn_spoofing_test/
>
> Lee


The simplest and best fix yet is described at:
http://edmullen.net/Mozilla/moz_idn.html

Tested on and works for Mozilla, Firefox, and Opera.

--
Ed Mullen
http://edmullen.net
http://edmullen.net/moz.html
The gene pool sure could use a little chlorine.
 
Reply With Quote
 
Leonidas Jones
Guest
Posts: n/a
 
      02-12-2005
Ed Mullen wrote:
> Leonidas Jones wrote:
>
>> John Thompson wrote:
>>
>>> On 2005-02-09, mike555 <(E-Mail Removed)> wrote:
>>>
>>>
>>>> Carmen Gauvin-O'Donnell wrote:
>>>>
>>>>> Anyone know anything about the spoofind vulnerability in non-IE
>>>>
>>>>
>>>>
>>>> browsers
>>>>
>>>>> (described in the Tourbus e-mail this week?)
>>>>>
>>>>> I take it Mozilla is dealing with it?
>>>>>
>>>>> Carmen
>>>>
>>>>
>>>>
>>>> ==== there is a fix posted at... http://tinyurl.com/6gh8u ...=====
>>>
>>>
>>>
>>>
>>> There's an easier way to fix it: type about:config in the URL bar,
>>> filter on "IDN" and toggle the value for "network.enableIDN" to "false"
>>>

>>
>> This works if you are running Mozilla 1.8a6 or later, or a Firefox
>> nightly build from about mid January on.
>>
>> With 1.8a5 or earlier, or the Firefox 1.0 release, most people,
>> including myself, find that while changing the pref in about:config,
>> it does not survive a restart of the program. The pref stays "false",
>> but the prowser still fails the test page at Secunia.
>>
>> http://secunia.com/multiple_browsers_idn_spoofing_test/
>>
>> Lee

>
>
> The simplest and best fix yet is described at:
> http://edmullen.net/Mozilla/moz_idn.html
>
> Tested on and works for Mozilla, Firefox, and Opera.
>


That is a good one. I found that for versions which won't hold the
about:config mods, using Adblock's site blocking capabilities works very
well, and it is easily reversible. Of course, you do need the Adblock
extensions, but its become a very common one.

Lee

Lee
 
Reply With Quote
 
Z
Guest
Posts: n/a
 
      02-12-2005
John Thompson wrote:
> There's an easier way to fix it: type about:config in the URL bar, filter
> on "IDN" and toggle the value for "network.enableIDN" to "false"


This site claims two additional vulnerabilities in FF, one that allows a
site to secretly change that about:config setting:

http://habaneronetworks.com/viewArticle.php?ID=134
....
Fireflashing: The description for this vulnerability demonstrates
changes to the about:config (the configuration page for Firefox) without
the knowledge of the computer user. An example exists that having
about:config unknowingly under the current window that when the user
clicks in a designated area on the form, values can be changed on the
hidden about:config page beneath it. Thus if a malicious website had a
game, that when you double-clicked on a certain area of the game area,
say to move a game piece, a value could be changed to a hidden
about:config window that had popped up under the game, without your
knowledge.

Of all the vulnerabilities described, the last one, 'Fireflashing' is by
far the most serious. Just the other day, I warned on this site that a
vulnerability in Firefox, Opera and others that utilized a hole
Internationalized Domain Names. I instructed users on how to correct the
problem by changing a value in about:config. If a malicious site decided
to change that value back again, then utilize the flaw, it could prove
quite serious.
 
Reply With Quote
 
John Thompson
Guest
Posts: n/a
 
      02-13-2005
On 2005-02-12, Ed Mullen <(E-Mail Removed)> wrote:

> The simplest and best fix yet is described at:
> http://edmullen.net/Mozilla/moz_idn.html
>
> Tested on and works for Mozilla, Firefox, and Opera.


How will this work if you alrady have a proxy defined in your settings? Is
there some way to chain it to the existing proxy?

--

John ((E-Mail Removed))
 
Reply With Quote
 
John Thompson
Guest
Posts: n/a
 
      02-13-2005
On 2005-02-12, Leonidas Jones <(E-Mail Removed)> wrote:

> That is a good one. I found that for versions which won't hold the
> about:config mods, using Adblock's site blocking capabilities works very
> well, and it is easily reversible. Of course, you do need the Adblock
> extensions, but its become a very common one.


According to:

http://users.tns.net/%7Eskingery/web...ing-issue.html

you can use AdBlock to filter unicode characters from urls thereby
preventing the IDN exploit:

1. Install the Adblock Firefox extension.
https://update.mozilla.org/extension...=Windows&id=10

2. Look at the Adblock 'Preferences' and go to 'Adblock Options'

3. Tick 'Site Blocking'

4. Add the following filter :-
/[^\x20-\xFF]/

This will block any URL that uses characters outside the normal ASCII
range.

My question: in step four, is the hyphen on the first line part of the
filter, or not?

--

John ((E-Mail Removed))
 
Reply With Quote
 
Leonidas Jones
Guest
Posts: n/a
 
      02-13-2005
John Thompson wrote:
> On 2005-02-12, Leonidas Jones <(E-Mail Removed)> wrote:
>
>
>>That is a good one. I found that for versions which won't hold the
>>about:config mods, using Adblock's site blocking capabilities works very
>>well, and it is easily reversible. Of course, you do need the Adblock
>>extensions, but its become a very common one.

>
>
> According to:
>
> http://users.tns.net/%7Eskingery/web...ing-issue.html
>
> you can use AdBlock to filter unicode characters from urls thereby
> preventing the IDN exploit:
>
> 1. Install the Adblock Firefox extension.
> https://update.mozilla.org/extension...=Windows&id=10
>
> 2. Look at the Adblock 'Preferences' and go to 'Adblock Options'
>
> 3. Tick 'Site Blocking'
>
> 4. Add the following filter :-
> /[^\x20-\xFF]/
>
> This will block any URL that uses characters outside the normal ASCII
> range.
>
> My question: in step four, is the hyphen on the first line part of the
> filter, or not?
>


/[^\x20-\xFF]/

No it is not. The above is all you need.

Lee
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
BRI Spoofing Satnam.Bhamra@gmail.com Cisco 3 09-19-2005 06:13 PM
Anti-spoofing access-lists Ivan Ostreš Cisco 4 02-27-2005 02:55 AM
Avoiding SMTP spoofing with Cisco PIX. It is possible ? Javier Cisco 3 09-29-2004 10:04 PM
WCCP ip Spoofing problem with Cache Server hari Cisco 0 03-04-2004 02:00 PM
Cisco router spoofing? Mark Cisco 6 07-21-2003 08:57 PM



Advertisments