Package: mozilla-firefox Version: 1.0+dfsg.1-4 Severity: grave Tags: security Justification: user security hole
advisory: http://www.shmoo.com/idn/homograph.txt demonstration: http://www.shmoo.com/idn/ highlights: > I. Background > > International Domain Name [IDN] support in modern browsers allows attackers > to > spoof domain name URLs + SSL certs. > III. The details > > Proof of concept URL: > > http://www.shmoo.com/idn/ > > Clicking on any of the two links in the above webpage using anything but IE > should result in a spoofed paypal.com webpage. I confirm that this works on my sid machine. > V. Workaround > > You can disable IDN support in mozilla products by setting > 'network.enableIDN' > to false. I can confirm this works, but the domain not found message says "http://www.paypal.com"; cannot be found, so it isn't exactly a great workaround. > VI. Vendor Responses > > Mozilla: Working on finding a good long-term solution; provided clear > workaround for disabling IDN. -- System Information: Debian Release: 3.1 APT prefers unstable APT policy: (990, 'unstable'), (101, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.4.27-2-k7 Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Versions of packages mozilla-firefox depends on: ii debianutils 2.11.2 Miscellaneous utilities specific t ii fontconfig 2.2.3-4 generic font configuration library ii libatk1.0-0 1.8.0-4 The ATK accessibility toolkit ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libfontconfig1 2.2.3-4 generic font configuration library ii libfreetype6 2.1.7-2.3 FreeType 2 font engine, shared lib ii libgcc1 1:3.4.3-7 GCC support library ii libglib2.0-0 2.6.2-1 The GLib library of C routines ii libgtk2.0-0 2.6.1-2 The GTK+ graphical user interface ii libidl0 0.8.3-1 library for parsing CORBA IDL file ii libjpeg62 6b-9 The Independent JPEG Group's JPEG ii libkrb53 1.3.6-1 MIT Kerberos runtime libraries ii libpango1.0-0 1.8.0-3 Layout and rendering of internatio ii libpng12-0 1.2.8rel-1 PNG library - runtime ii libstdc++5 1:3.3.5-8 The GNU Standard C++ Library v3 ii libx11-6 4.3.0.dfsg.1-10 X Window System protocol client li ii libxext6 4.3.0.dfsg.1-10 X Window System miscellaneous exte ii libxft2 2.1.2-6 FreeType-based font drawing librar ii libxp6 4.3.0.dfsg.1-10 X Window System printing extension ii libxt6 4.3.0.dfsg.1-10 X Toolkit Intrinsics ii psmisc 21.5-1 Utilities that use the proc filesy ii xlibs 4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu ii zlib1g 1:1.2.2-4 compression library - runtime -- no debconf information -- bye, pabs
signature.asc
Description: This is a digitally signed message part
