=====[BEGIN-SCL-REPORT]=====
________________________________________________________________________
Scovetta Labs Security Advisory
Title: IDN Feature Workaround via proxy.pac
Status: Public
Release Date: 2005-02-08
________________________________________________________________________
Package: Web Browsers
Vendor: Mozilla - http://www.mozilla.org
Opera - http://www.opera.com
Others (non-IE)
Priority: High
Vulnerability: IDN Allows Domain Spoofing
Affected Versions:
==================
Firefox 1.0 is vulnerable
Most other modern browsers (except IE) have been reported vulnerable
Background: (from official advisory [1])
===========
International Domain Name [IDN] support in modern browsers allows
attackers to spoof domain name URLs + SSL certs.
Description:
============
See description [1].
Exploit:
========
See exploit [1].
Work-around:
============
A browser-level fix for this vulnerability is to create a proxy.pac
(auto-configuration) file, containing the following text:
function FindProxyForURL(url, host){
// valid characters, add more as you find you need them
var validChars = "abcdefghijklmnopqrstuvwxyz0123456789.-";
for (i=0; i<host.length; i++) {
if (validChars.indexOf(host[i]) == -1) {
alert('Invalid character(s) in host name.');
return "PROXY 127.0.0.1:9999";
}
}
}
See [3] for the full file.
Vendor Response:
================
See vendor response [1]
Revision History
================
2005-02-08: Public Release [2]
Credits:
========
Discovery of the vulnerability to Eric Johanson (ericj@xxxxxxxxx).
Proxy.pac workaround to Michael Scovetta (security@xxxxxxxxxxxxxxxx
References:
==========
[1] http://www.shmoo.com/idn/homograph.txt
[2] http://www.scovettalabs.com/advisory/SCL-2005.002.txt
[3] http://www.scovettalabs.com/download/IDNproxy.pac
Disclaimer
==========
The content of this report is purely informational and meant only
for the purpose of education and protection. Scovetta Labs and
Michael Scovetta shall in no event be liable for any damage
whatsoever, direct or implied, arising from use or spread of this
information. All identifiers (hostnames, IP addresses, company names,
individual names etc.) used in examples and demonstrations are used
only for explanatory purposes and have no connection with any real
host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals
are vulnerable to any attacks nor does it mean that they consent to
being used in any vulnerability tests. The use of information in
this report is entirely at user's risk.
Copyright
=========
(c) 2005 Michael Scovetta. Forwarding and publishing of this document
is permitted providing the content between "[BEGIN-SCL-REPORT]" and
[END-SCL-REPORT]" marks remains unchanged.
=====[END-SCL-REPORT]=====
