MozillaZine

Serious security issue -- phishing vulnerability

Discussion of bugs in Mozilla Firefox
egeezer
 
Posts: 28
Joined: January 29th, 2004, 2:37 pm

Post Posted February 8th, 2005, 10:33 am

I tried the workaround of editing the compreg.dat file(s) as provided by BeesTea at BBR and it works on my system, even after closing and restarting the browser. I did a search and found two compreg.dat files on my WIN pc, commented the line in both of them. See;

http://www.dslreports.com/forum/remark, ... t=security


quote from BeesTea's workaround;
For windows
c:\Documents and Settings\$USER\Application Data\Mozilla\Firefox\Profiles\default.random\compreg.dat

For UNIX
~/.mozilla/firefox/default.random/compreg.dat

Removing the line that references IDN makes the problem go away. Using Find, there was a single reference for the UNIX host and 2 for the Win32 host. Removing the lines and restarting the browser makes the attack fail regardless of the about:config/userprefs.js value.

Here's an example entry.

{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so

End Quote

Edit - I understand that compreg.dat may be overwritten with a nightly build update, so I will need to check the files again after any updates...

HTH

EG
Cheers,

EG

venus_de_mpls

User avatar
 
Posts: 1059
Joined: December 23rd, 2004, 3:43 pm
Location: Minneapolis, MN, USA, Earth

Post Posted February 8th, 2005, 1:13 pm

Kylotan wrote:
venus_de_mpls wrote:I would prefer seeing the spoofed address in the error message. And in time I am hopeful the error message will reflect blocking a spoofed address.


Are you not missing the point though? This system is there to allow a set of valid IDN addresses, which unfortunately just happen to resemble existing ones which may or may not be something like paypal. I can understand you might want it turned off by default as a security measure, but as far as I can see, when it is in operation I get the correct error messages with the exact address it was trying to access. The only difference between a spoofed address and a legitimate one is the intention, really.


Not missing the point at all. I just worry that users implementing the fix might interpret the error message as now having this problem: http://forums.mozillazine.org/viewtopic.php?t=211351

lynchknot
 
Posts: 6253
Joined: November 4th, 2002, 7:36 pm

Post Posted February 8th, 2005, 1:52 pm

opps wrong thread
Last edited by lynchknot on February 8th, 2005, 1:54 pm, edited 1 time in total.

lynchknot
 
Posts: 6253
Joined: November 4th, 2002, 7:36 pm

Post Posted February 8th, 2005, 1:54 pm

hhee, opps again

Lost User 101655
 
Posts: 0
Joined: December 31st, 1969, 5:00 pm

Post Posted February 9th, 2005, 5:45 am

I've disabled network.enableIDN and it prevents Firefox from opening spooffed sites. Even after Firefox restart! I'm using Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.8a6) Gecko/20050111 Firefox/1.0+ (MOOX M1) - the best trunk I've seen since Fx1.o

jtjt00

User avatar
 
Posts: 10
Joined: February 9th, 2005, 7:34 am

Post Posted February 9th, 2005, 7:47 am

If after modify the compreg.dat file, you are unable to launch FireFox, then you need to use back the original compreg.dat file.

This happens to me.

AnotherGuest.
 
Posts: 2158
Joined: December 22nd, 2004, 11:47 am

Post Posted February 9th, 2005, 8:18 am

Just a comment on grocal's solution:

The version he is using is recent enough so that particular solution works correctly.

That solution does not work with the official release (1.0) because of a bug. People using the official release should just read the sticky note.

Jus
 
Posts: 483
Joined: August 12th, 2004, 11:37 am

Post Posted February 9th, 2005, 11:11 am

Newbie questions, what is this IDN for?

Why is kmeleon not vulnerable when the other gecko browsers are?

schapel
 
Posts: 3483
Joined: November 4th, 2002, 10:47 pm
Location: Ann Arbor, Michigan

Post Posted February 9th, 2005, 11:16 am

Jus wrote:Newbie questions, what is this IDN for?


It allows characters from different character sets in URLs. Russian users can have Cyrillic URLs and Japanese users can have Japanese URLs, for example.

Jus wrote:Why is kmeleon not vulnerable when the other gecko browsers are?


Probably because it has a completely different user interface built using native code instead of XUL.

AnotherGuest.
 
Posts: 2158
Joined: December 22nd, 2004, 11:47 am

Post Posted February 9th, 2005, 12:46 pm

Jus wrote:Why is kmeleon not vulnerable when the other gecko browsers are?
In a way it's vulnerable too. It can still open a link to a fraudelent site. If that site looks to you like the site you are expecting, you might be fooled.

The difference is that if you look in the address window, K-Meleon will probably display the name of the site in a way that will allow you to tell the difference. But you still have to examine the address window. Unfortunately, the difference in appearance may be small enough that you may not notice the difference, and the appearance may be different on different systems. This is not a criticism of K-M, but protection is not automatic.

You should be aware that <b>even once this problem is "solved",</b> you will still be somewhat vulnerable with <i>any</i> browser. A link called "Secure Banking at Your Branch" can still send you to TransferAllYourMoneyToNigeria.Burp.com. Or it might be "https://www.Secure.BankAmerika.con/urbranch/posting.php?mode=106823burp231523=youwontreadthisfarbutyouvebeenhad?haha.
Last edited by AnotherGuest. on February 9th, 2005, 1:07 pm, edited 1 time in total.

brwkem
 
Posts: 5
Joined: February 8th, 2005, 2:55 pm

Post Posted February 9th, 2005, 1:07 pm

Where is the sticky?

I know its a dumb question

schapel
 
Posts: 3483
Joined: November 4th, 2002, 10:47 pm
Location: Ann Arbor, Michigan

Post Posted February 9th, 2005, 1:11 pm

In the <a href="http://forums.mozillazine.org/viewforum.php?f=38">Mozilla Firefox Support forum</a>.

AnotherGuest.
 
Posts: 2158
Joined: December 22nd, 2004, 11:47 am

Post Posted February 9th, 2005, 1:14 pm

Not a dumb question at all. Congratulations! You are the 100,000th dumb person not to see the sticky notes! :banana: \:D/

<b>CAN SOMEONE PLEASE PUT THE STICKY NOTES IN BIG NEON LETTERS? PRETTY PLEASE?</b> :lol:

It's right at the top of page 1 of the Firefox Support Forum.

brwkem
 
Posts: 5
Joined: February 8th, 2005, 2:55 pm

Post Posted February 9th, 2005, 1:53 pm

Funny.
If you go to firefox 1.x support the sticky isnt there.
IT SHOULD BE!
Have to go to the above forum to see it.
That should be in both forums.

So YES PUT THE STICKY NOTES IN BIG NEON LETTERS IN BOTH FORUMS

AnotherGuest.
 
Posts: 2158
Joined: December 22nd, 2004, 11:47 am

Post Posted February 9th, 2005, 3:20 pm

I think you mean it's missing from the Mozilla 1.x support forum. Indeed it is.

Can you alert the moderator, and I'll do the same?

Return to Firefox Bugs


Who is online

Users browsing this forum: No registered users and 3 guests