Subsystem: Near Field Communication
-----------------------------
Executive Summary:
URI/URL Spoofing when displaying the content of a NDEF Smart Poster
and plain URI tag. Web browser does not display full hostname when
loading a web page.
Crash of the parser for various parts of NDEF records, reboots
graphical user interface (GUI) of phone.
I too tested on the same version of Firefox but it worked in my case! What address did you use as main URL. Was it google.com?
You can find the snap of the spoofed URL captured in Firefox here: hxxp://img249.imageshack.us/my.php?image=spoofzg2.png
Firefox 3.x:
CVE-2009-1392: Firefox browser engine crashes
CVE-2009-1832: Firefox double frame construction flaw
CVE-2009-1833: Firefox JavaScript engine crashes
CVE-2009-1834: Firefox URL spoofing with invalid unicode characters
CVE-2009-1835: Firefox Arbitrary domain cookie access by local file:
resources
CVE-2009-1836: Firefox SSL tampering via non-200 responses to proxy
CONNECT requests
CVE-2009-1837: Firefox Race condition while accessing the private
vulnerability.The full POC have been released at milw0rm.
Have a look at it: http://milw0rm.com/exploits/7226
The problem is this most of web servers have anti viruses which
treated it as URL Spoofing virus. Anyways the POC has been
released for the latest version.
Regards
Aditya KS
http://www.secniche.org
Mozilla developers fixed several bugs, including an issue with
modifying XPCNativeWrappers (CVE-2007-3738), a problem with event
handlers executing elements outside of the document (CVE-2007-3737),
and a cross-site scripting (XSS) vulnerability (CVE-2007-3736). They
also fixed a problem with promiscuous IFRAME access (CVE-2007-3089) and
an XULRunner URL spoofing issue with the wyciwyg:// URI and HTTP 302
redirects (CVE-2007-3656). Denials of Service involving corrupted
memory were fixed in the browser engine (CVE-2007-3734) and the
JavaScript engine (CVE-2007-3735). Finally, another XSS vulnerability
caused by a regression in the CVE-2007-3089 patch was fixed
(CVE-2007-3844).
Subsystem: Near Field Communication
-----------------------------
Executive Summary:
URL Spoofing when displaying the content of a NDEF
URI tag. Web browser does not display full hostname when
loading a web page.
Crash of the parser for parts of a NDEF record, reboots
graphical user interface (GUI) of phone.
I too tested on the same version of Firefox but it worked in my case! What address did you use as main URL. Was it google.com?
You can find the snap of the spoofed URL captured in Firefox here: hxxp://img249.imageshack.us/my.php?image=spoofzg2.png
I too tested on the same version of Firefox but it worked in my case! What address did you use as main URL. Was it google.com?
You can find the snap of the spoofed URL captured in Firefox here: hxxp://img249.imageshack.us/my.php?image=spoofzg2.png
