[Full-disclosure] Mozilla Firefox up to 1.0.6 and Mozilla Thunderbird up to 1.0 url string obfuscation

From: Marc Ruef (maru_at_scip.ch)
Date: 08/09/05

  • Next message: Tim: "Re: [Full-disclosure] Mozilla Firefox up to 1.0.6 and Mozilla Thunderbird up to 1.0 url string obfuscation"
    Date: Tue, 9 Aug 2005 15:22:58 +0200
    To: <bugtraq@securityfocus.com>, <full-disclosure@lists.grok.org.uk>, <news@securiteam.com>, <submissions@packetstormsecurity.org>, <partners@secunia.com>, <red@heisec.de>
    
    

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Dear lists,

    During a web application audit for a customer I detected a design error in the applications of the Mozilla suite. I was testing very long URL requests what I am usually do with a terminal emulation (e.g. Telnet or NetCat) or tools as like Mini-Browser. After I have found a suspicous computation of my input at server side I tried to validate this one with my web browser. Since the 0.9 release my default browser is Mozilla Firefox, currently running in the up-to-date version 1.0.6.

    After I have entered the _very_ long URL (approx. 5.474 chars) in the address bar of the browser the whole line went blank. I was not able to see my input - It looked like deleted, empty. But I was sure the input chars where there because I was able to scroll the blinking cursor thru the line. A partial or fully selection of the URL made it visible again. It seems that the text color switched to white so it is not possible to see it on the white background color of the address bar combobox. I used something like "http://www.scip.ch/?aaa[lot_more_a's]aaa" as input string. It is not needed to press enter to see the effect. Just put such a long line into the specified field.

    Then I tried to send an example URL to my private mail account to test this behavior at my home installation. My whole personal mail traffic is handled by Mozilla Thunderbird 1.0 so it was not really a surprise the same problem where given there too. The enormous long line of input of the mail body switched also to the same effect.

    My testing at home, also a Microsoft Windows XP with the latest service pack and patches, has confirmed the bug. But the length of the long lines where different. I have had to put 65.535 chars in a line to get the same effect. Other Mozilla applications and every input field has not been tested. Also a testing with such long lines in HTML documents (e.g. as a link) were not positive. Is anybody able to confirm the problem in their environment too?

    The security threat of this may be given indirectly. An attacker may be able to use this vulnerability to obfuscate the real target of a link or the current address bar entry of a web site. This may be lead to realize technically supported social engineering attacks (e.g. phishing). Users should always check the location of a ressource twice if it seems not requested or suspicous in any way. And the Mozilla team should check their solutions to provide a small bugfix for this problem.

    A german version of this posting can be found at http://www.computec.ch/mruef/ and the entry in the german vulnerabiliy by scip AG is at http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1682

    Regards,

    Marc Ruef

    - --
    ) scip AG (
    Technoparkstr. 1
    8005 Zürich
    T +41 1 445 18 18
    F +41 1 445 18 19

    maru@scip.ch
    www.scip.ch

    - - Aktuellste IT-Sicherheitsluecken -

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.0
    Comment: http://www.scip.ch

    iQA/AwUBQviuMRe5hzJzqVMhEQK5GQCg4XqBtH5zBG3Bbcp0AlstrlCnaGkAoIHi
    COKFYbxYuY9WvAnviqJRVyoM
    =x9MD
    -----END PGP SIGNATURE-----

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Tim: "Re: [Full-disclosure] Mozilla Firefox up to 1.0.6 and Mozilla Thunderbird up to 1.0 url string obfuscation"

    Relevant Pages