Subject: Mozilla Firefox up to 1.0.6 and Mozilla Thunderbird up to 1.0 url string obfuscation
Date: Tue, 9 Aug 2005 15:22:58 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID: <5F9D803B30A8E4418166E637D50E9E2A13A0AC@miraculix.scip.ch.>
X-MS-Has-Attach:
X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0
Content-class: urn:content-classes:message
X-MS-TNEF-Correlator:
Thread-Topic: Mozilla Firefox up to 1.0.6 and Mozilla Thunderbird up to 1.0 url string obfuscation
Thread-Index: AcWc5XVLNzPr/tvRRquZnGNL/hge0A==
From: "Marc Ruef" <maru@scip.ch.>
To: <bugtraq@securityfocus.com.>, <full-disclosure@lists.grok.org.uk.>,
<news@securiteam.com.>, <submissions@packetstormsecurity.org.>,
<partners@secunia.com.>, <red@heisec.de.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
=20
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear lists,
During a web application audit for a customer I detected a design error =
in the applications of the Mozilla suite. I was testing very long URL =
requests what I am usually do with a terminal emulation (e.g. Telnet or =
NetCat) or tools as like Mini-Browser. After I have found a suspicous =
computation of my input at server side I tried to validate this one with =
my web browser. Since the 0.9 release my default browser is Mozilla =
Firefox, currently running in the up-to-date version 1.0.6.
After I have entered the _very_ long URL (approx. 5.474 chars) in the =
address bar of the browser the whole line went blank. I was not able to =
see my input - It looked like deleted, empty. But I was sure the input =
chars where there because I was able to scroll the blinking cursor thru =
the line. A partial or fully selection of the URL made it visible again. =
It seems that the text color switched to white so it is not possible to =
see it on the white background color of the address bar combobox. I used =
something like "http://www.scip.ch/?aaa[lot_more_a's]aaa" as input =
string. It is not needed to press enter to see the effect. Just put such =
a long line into the specified field.
Then I tried to send an example URL to my private mail account to test =
this behavior at my home installation. My whole personal mail traffic is =
handled by Mozilla Thunderbird 1.0 so it was not really a surprise the =
same problem where given there too. The enormous long line of input of =
the mail body switched also to the same effect.
My testing at home, also a Microsoft Windows XP with the latest service =
pack and patches, has confirmed the bug. But the length of the long =
lines where different. I have had to put 65.535 chars in a line to get =
the same effect. Other Mozilla applications and every input field has =
not been tested. Also a testing with such long lines in HTML documents =
(e.g. as a link) were not positive. Is anybody able to confirm the =
problem in their environment too?
The security threat of this may be given indirectly. An attacker may be =
able to use this vulnerability to obfuscate the real target of a link or =
the current address bar entry of a web site. This may be lead to realize =
technically supported social engineering attacks (e.g. phishing). Users =
should always check the location of a ressource twice if it seems not =
requested or suspicous in any way. And the Mozilla team should check =
their solutions to provide a small bugfix for this problem.
A german version of this posting can be found at =
http://www.computec.ch/mruef/ and the entry in the german vulnerabiliy =
by scip AG is at http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=3D1682
Regards,
Marc Ruef
- --=20
) scip AG (
Technoparkstr. 1
8005 Z=FCrich
T +41 1 445 18 18=20
F +41 1 445 18 19
[email protected]
www.scip.ch
- - Aktuellste IT-Sicherheitsluecken -
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://www.scip.ch
iQA/AwUBQviuMRe5hzJzqVMhEQK5GQCg4XqBtH5zBG3Bbcp0AlstrlCnaGkAoIHi
COKFYbxYuY9WvAnviqJRVyoM
=3Dx9MD
-----END PGP SIGNATURE-----
