Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[SCL-2005.002] - IDN Feature Workaround via proxy.pac

from [Scovetta, Michael V] Network Security [Permanent Link]
Subject: [SCL-2005.002] - IDN Feature Workaround via proxy.pac
Date: Tue, 8 Feb 2005 12:39:59 -0500 
=====[BEGIN-SCL-REPORT]=====
 
________________________________________________________________________

                   Scovetta Labs Security Advisory

 Title:         IDN Feature Workaround via proxy.pac
 Status:        Public
 Release Date:  2005-02-08
________________________________________________________________________

 Package:       Web Browsers
 Vendor:        Mozilla - http://www.mozilla.org
                Opera - http://www.opera.com
                Others (non-IE)
 Priority:      High
 Vulnerability: IDN Allows Domain Spoofing


Affected Versions:
==================

 Firefox 1.0 is vulnerable
 Most other modern browsers (except IE) have been reported vulnerable


Background: (from official advisory [1])
===========

 International Domain Name [IDN] support in modern browsers allows 
 attackers to spoof domain name URLs + SSL certs.

Description:
============

 See description [1].


Exploit:
========

 See exploit [1].
 
 
Work-around:
============

 A browser-level fix for this vulnerability is to create a proxy.pac
 (auto-configuration) file, containing the following text:

function FindProxyForURL(url, host){
  // valid characters, add more as you find you need them
  var validChars = "abcdefghijklmnopqrstuvwxyz0123456789.-";
  for (i=0; i<host.length; i++) {
    if (validChars.indexOf(host[i]) == -1) {
      alert('Invalid character(s) in host name.');
      return "PROXY 127.0.0.1:9999";
    }
  }
}

See [3] for the full file.

Vendor Response:
================

 See vendor response [1]


Revision History
================
 
2005-02-08: Public Release [2]
 

Credits:
========

 Discovery of the vulnerability to Eric Johanson (ericj@shmoo.com).
 Proxy.pac workaround to Michael Scovetta (security@scovettalabs.com

References:
==========

 [1] http://www.shmoo.com/idn/homograph.txt
 [2] http://www.scovettalabs.com/advisory/SCL-2005.002.txt
 [3] http://www.scovettalabs.com/download/IDNproxy.pac

Disclaimer
==========

 The content of this report is purely informational and meant only 
 for the purpose of education and protection. Scovetta Labs and 
 Michael Scovetta shall in no event be liable for any damage 
 whatsoever, direct or implied, arising from use or spread of this 
 information. All identifiers (hostnames, IP addresses, company names, 
 individual names etc.) used in examples and demonstrations are used 
 only for explanatory purposes and have no connection with any real 
 host, company or individual. In no event should it be assumed that 
 use of these names means specific hosts, companies or individuals 
 are vulnerable to any attacks nor does it mean that they consent to 
 being used in any vulnerability tests. The use of information in 
 this report is entirely at user's risk.

 
Copyright
=========
 
 (c) 2005 Michael Scovetta. Forwarding and publishing of this document 
 is permitted providing the content between "[BEGIN-SCL-REPORT]" and
 [END-SCL-REPORT]" marks remains unchanged.


=====[END-SCL-REPORT]=====
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [SCL-2005.002] - IDN Feature Workaround via proxy.pac, Scovetta, Michael V <=
Previous by Date:  Formation of OWASP Chapter in Winnipeg, MB, CA, Yvan Boily
Next by Date:  Re: secure storage of sensitive data in J2EE, Ashish Popli
Previous by Thread:  Formation of OWASP Chapter in Winnipeg, MB, CA, Yvan Boily
Next by Thread:  Achieving Sign On for non-web resource., Babu Kopparam
Indexes:  [Date] [Thread] [Top] [All Lists]