Mozilla Firefox up to 1.0.6 and Mozilla Thunderbird up to 1.0 url string obfuscation
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dear lists,
During a web application audit for a customer I detected a design error in the
applications of the Mozilla suite. I was testing very long URL requests what I
am usually do with a terminal emulation (e.g. Telnet or NetCat) or tools as
like Mini-Browser. After I have found a suspicous computation of my input at
server side I tried to validate this one with my web browser. Since the 0.9
release my default browser is Mozilla Firefox, currently running in the
up-to-date version 1.0.6.
After I have entered the _very_ long URL (approx. 5.474 chars) in the address
bar of the browser the whole line went blank. I was not able to see my input -
It looked like deleted, empty. But I was sure the input chars where there
because I was able to scroll the blinking cursor thru the line. A partial or
fully selection of the URL made it visible again. It seems that the text color
switched to white so it is not possible to see it on the white background color
of the address bar combobox. I used something like
"http://www.scip.ch/?aaa[lot_more_a's]aaa" as input string. It is not needed to
press enter to see the effect. Just put such a long line into the specified
field.
Then I tried to send an example URL to my private mail account to test this
behavior at my home installation. My whole personal mail traffic is handled by
Mozilla Thunderbird 1.0 so it was not really a surprise the same problem where
given there too. The enormous long line of input of the mail body switched also
to the same effect.
My testing at home, also a Microsoft Windows XP with the latest service pack
and patches, has confirmed the bug. But the length of the long lines where
different. I have had to put 65.535 chars in a line to get the same effect.
Other Mozilla applications and every input field has not been tested. Also a
testing with such long lines in HTML documents (e.g. as a link) were not
positive. Is anybody able to confirm the problem in their environment too?
The security threat of this may be given indirectly. An attacker may be able to
use this vulnerability to obfuscate the real target of a link or the current
address bar entry of a web site. This may be lead to realize technically
supported social engineering attacks (e.g. phishing). Users should always check
the location of a ressource twice if it seems not requested or suspicous in any
way. And the Mozilla team should check their solutions to provide a small
bugfix for this problem.
A german version of this posting can be found at http://www.computec.ch/mruef/
and the entry in the german vulnerabiliy by scip AG is at
http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1682
Regards,
Marc Ruef
- --
) scip AG (
Technoparkstr. 1
8005 Zürich
T +41 1 445 18 18
F +41 1 445 18 19
maru@xxxxxxx
www.scip.ch
- - Aktuellste IT-Sicherheitsluecken -
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://www.scip.ch
iQA/AwUBQviuMRe5hzJzqVMhEQK5GQCg4XqBtH5zBG3Bbcp0AlstrlCnaGkAoIHi
COKFYbxYuY9WvAnviqJRVyoM
=x9MD
-----END PGP SIGNATURE-----