Spyware, Viruses, & Security forum

General discussion

VULNERABILITIES - June 14, 2004

by Marianna Schmudlach / June 14, 2004 12:33 AM PDT

Mozilla Browser Address Bar Spoofing Weakness

CRITICAL:
Less critical

IMPACT:
Spoofing

WHERE:
From remote

SOFTWARE:
Mozilla 1.0
Mozilla 1.1
Mozilla 1.2
Mozilla 1.3
Mozilla 1.4
Mozilla 1.5
Mozilla 1.6
Mozilla Firefox 0.x

DESCRIPTION:
A weakness has been reported in Mozilla, allowing malicious people to
conduct phishing attacks.

The weakness is caused due to an error within the handling of URLs.
This can be exploited to potentially trick users into supplying
sensitive information to a malicious web site, because information
displayed in the address bar can be constructed in a certain way,
which may lead users to believe that they're visiting another web
site than the displayed web site.

More: http://www.sophos.com/virusinfo/analyses/trojsoberh.html

Discussion is locked
You are posting a reply to: VULNERABILITIES - June 14, 2004
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VULNERABILITIES - June 14, 2004
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Yahoo's Visual Captchas a.k.a. Word Verification Systems
by Donna Buenaventura / June 14, 2004 12:43 AM PDT

Flawed

Summary
A captcha (an acronym for "completely automated public Turing test to tell computers and humans apart") is a type of challenge-response test used in computing to determine whether or not the user is human. One such test is utilized by Yahoo to prevent SPAMers from creating accounts for the sole purpose of sending through Yahoo SPAM. The system used by Yahoo has been found to contain a flaw that would allow a SPAMer to solve this Turing test once, and utilize the solution for any future requests for new accounts he does.

Details
Whilst Tom tried to write an OCR program to solve visual captchas or "word verification" tests as they are called by online services, Tom noticed that with Yahoo the online forms which the captchas were trying to protect from bots could be submitted just by solving one image and changing the ".SecData" POST variable to the image name without it's extension. This means of course that a bot would not need to solve the captcha, which is quite a challenge at present.

Example:
This means that solving just this test:
<INPUT type="hidden" name=".SecData" value="akasdmfhugfcvwenecjeeve--">

And then submitting it to any future request done to Yahoo would bypass the problem posed by the Word Verification System used.

Vendor status:
Tom contacted Yahoo about this issue and has received no reply. At the moment he doesn't have an idea of the scale of the problem of mass account holding so he is not sure if this warrants "a fix". The problem must have been serious enough to warrant measures to be taken against it. Yahoo cannot be the only website using this technology, so what other sites could be vulnerable? Online E-mail providers, Banks, Shops?

http://www.securiteam.com/securitynews/5EP0D15D5W.html

Collapse -
Sygate Personal Firewall Pro May Be Disabled By Local

Programs

Summary
Sygate Personal Firewall Pro provides a "multi-layered shield of network, content, application, and operating system protection for your PC. The Pro version includes a comprehensive Intrusion Protection System (IPS) which includes IDS, DoS protection, and Trojan protection."

Sygate Personal Firewall has a fail-safe mechanism that will stop all network traffic to and from the system in case the firewall service in unavailable. Hence if a malicious local program is able to kill the firewall service, all traffic will stop. However, there is a flaw in the implementation of this feature, allowing an attacker to bypass this mechanism.

Vulnerable Systems:
* Sygate Personal Firewall Pro version 5.5 Build 2525 on Win2k SP4

Vendor Status:
The vendor has been contacted and the vulnerability will be fixed in the upcoming release.

Disclosure Timeline
20 May 04 - Vulnerability Discovered
30 May 04 - Initial Vendor Notification
08 Jun 04 - Initial Vendor Response
13 Jun 04 - Public Release

http://www.securiteam.com/windowsntfocus/5CP0A15D6U.html

Collapse -
Opera '%2F' URL Parsing Error Lets Remote Users Spoof
by Donna Buenaventura / June 14, 2004 12:56 AM PDT

Arbitrary URLs

SecurityTracker URL: http://securitytracker.com/id?1010481

Date: Jun 13 2004

Impact: Modification of system information

Exploit Included: Yes

Version(s): 7.51

Description: A vulnerability was reported in the Opera web browser in the parsing of URLs containing the '%2F' character. A remote user can spoof arbitrary URLs.

http-equiv reported that 'bitlance winter' discovered that a remote user can create a specially crafted HTML link that, when loaded by the target user, will cause an arbitrary web site to be loaded with a partially spoofed URL. The partially spoofed URL will contain the full URL but may also contain space or null characters that cause the portion of the URL containing the attacker's site to be pushed far enough to the right in the URL status bar so as to not be visible.

The web site can be loaded in the security domain of an arbitrary site.

It is reported that the attacker's exploit site must be configured to respond to HTTP queries regardless of what value is specified for the HTTP "Host:" header.

Brett Moore reported that the malicious URL does not need to include the 'redir' attribute.

A demonstration exploit example that uses an SSL-based exploit site is provided at:

http://www.malware.com/gutted.html

Impact: A remote user can create HTML that, when loaded by the target user, will spoof an arbitrary site.

Solution: No solution was available at the time of this entry.

Vendor URL: www.opera.com/

Cause: Input validation error, State error

Underlying OS: Windows (Any)

Reported By: "http-equiv

Collapse -
Internet Explorer '%2F' URL Parsing Error Lets Remote Users
by Donna Buenaventura / June 14, 2004 12:59 AM PDT

Spoof Sites in the Trusted Zone

Internet Explorer '%2F' URL Parsing Error Lets Remote Users Spoof Sites in the Trusted Zone

SecurityTracker URL: http://securitytracker.com/id?1010482
CVE Reference: GENERIC-MAP-NOMATCH
Date: Jun 13 2004

Impact: Modification of system information

Exploit Included: Yes

Version(s): 6

Description: A vulnerability was reported in Microsoft Internet Explorer in the parsing of URLs containing the '%2F' character. A remote user can spoof Trusted Site and Local Computer zone URLs.

http-equiv reported that 'bitlance winter' discovered that a remote user can create a specially crafted HTML link that, when loaded by the target user, will cause an arbitrary web site to be loaded with a partially spoofed URL. The partially spoofed URL will contain the full URL but may also contain space or null characters that cause the portion of the URL containing the attacker's site to be pushed far enough to the right in the URL status bar so as to not be visible.

The web site can be loaded in the security domain of an arbitrary site. As a result, a remote user can spoof arbitrary web sites in the target user's trusted sites security domain.

It is reported that the attacker's exploit site must be configured to respond to HTTP queries regardless of what value is specified for the HTTP "Host:" header.

Thor Larholm reported that a remote user can also cause the HTML to load in the Local Intranet zone by leaving out a top level domain in the first part of the URL. Some demonstration exploit examples are provided:

http://whatever%3fredir=www.e-gold.com
http://whate ver%3fredir=yourevilsite.com

Brett Moore reported that the malicious URL does not need to include the 'redir' attribute.

A demonstration exploit example that uses an SSL-based exploit site is provided at:

http://www.malware.com/gutted.html

Impact: A remote user can create HTML that, when loaded by the target user, will spoof an arbitrary site in the target user's trusted domain or local computer domain.

Solution: No solution was available at the time of this entry.

Vendor URL: www.microsoft.com/technet/security/
Cause: Input validation error, State error

Underlying OS: Windows (Any)

Reported By: "http-equivvvv

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

Does BMW or Volvo do it best?

Pint-size luxury and funky style

Shopping for a new car this weekend? See how the BMW X2 stacks up against the Volvo XC40 in our side-by-side comparison.