location bar
_______________________________________________________________________
Problem Description:
konqueror/konq_combo.cc in Konqueror 3.5.7 allows remote attackers
to spoof the data: URI scheme in the address bar via a long URI with
trailing whitespace, which prevents the beginning of the URI from
being displayed. (CVE-2007-3820)
KDE Konqueror 3.5.7 allows remote attackers to spoof the URL address
bar by calling setInterval with a small interval and changing the
Additional info:
http://lcamtuf.blogspot.com/2010/06/safari-tale-of-betrayal-and-revenge.html
Link to PoC: http://lcamtuf.coredump.cx/sfbypass/
3) Address bar spoofing in Firefox (CVE-2010-1206) - an
usability-related exception causes the destination URL to be inserted
in the address bar before the destination site is actually loaded; by
calling window.stop() or navigating to HTTP 204, it is possible to
keep this URL while rendering arbitrary attacker-controlled window
contents:
#################################################################
# Application Info:
# Name: Internet Explorer
# Version: 8.0
#################################################################
Vulnerability: IE address bar characters into a small feature
My IE 8 on the address bar will automatically enter the url of the "\" (0x5c) transformed into "/" (0x2f)
Example: www.securitylab.ir \a Converted to www.securitylab.ir/a
Recently found that some phishing sites take advantage of this feature to bypass some security checks, it is hereby to be a mark
#################################################################
# Discoverd By: Pouya Daneshmand
(MFSA 2009-24)
CVE-2009-1834
Pavel Cvrcek discovered a potential issue leading to a spoofing attack
on the location bar related to certain invalid unicode characters.
(MFSA 2009-25)
CVE-2009-1835
Gregory Fleischer discovered that it is possible to read arbitrary
a remote attacker could cause a denial of service or possibly execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2009-3077)
Juan Pablo Lopez Yacubian discovered that Firefox did properly display
certain Unicode characters in the location bar and other text fields when
using a certain non-Ubuntu font. If a user configured Firefox to use this
font, an attacker could exploit this to spoof the location bar, such as in
a phishing attack. (CVE-2009-3078)
It was discovered that the BrowserFeedWriter in Firefox could be subverted
Hi
With the new features implemented in IE 8, the status address bar has been
transformed too. The new step taken by Microsoft IE team that is not to
show
the address of selected link in a status bar can have a serious impact.
A user
will not be able to see the active link in the status bar. This looks
Vulnerability:
==============
Firefox browser address bar in dealing with the URL, the URL and the
status bar when the space character, there is no reasonable encoding
of the URL. Blank characters behind the malicious code will be hidden.
An attacker can construct a space with a long URL to the URL to
deceive.
Exploit:
==============
Hello, as they are? This time I communicate with you to let you know of a vulnerability such as "spoofing" in the Internet Explorer 7.0 (tested at 8.0 and does not work).
Creating a pop-up malformated can put any address in the address bar in the body any page or content.
This flaw is possible because if in the address bar we eg
Address # direction
The numeral makes the first address is run and what comes after the numeral does not interfere with the original page. This is why creating popup with the special measures and to try to pass such an easterly direction popup displayed the end of the address and did not show the direction it runs. (Special measures are important because if it does not work largest).
Just a single click in the body popup to this reveals the true direction, which can be equal to dodge an event like javascript onblur or onfocus .. Anyway that's more serious an attack that a proof of concept.
cross-domain redirect. An attacker could bypass the same-origin policy
in Firefox by utilizing nsIRDFService and steal private data from
users authenticated to the redirected website. (CVE-2009-0776)
Masahiro Yamada discovered that Firefox did not display control
characters in the location bar. An attacker could exploit this to
spoof the location bar, such as in a phishing attack. (CVE-2009-0777)
Updated packages for Ubuntu 8.04 LTS:
[-] http://www.exteen.com/manage/entryeditor.php (Create New Entry Page)
--- Description ---
There are 2 ways to exploit this page
1. Type "javascript:(function(){var x = document.getElementById('mce_editor_0_parent'); x.previousSibling.style.display = 'block';x.parentNode.removeChild (x);})()" on address bar and press Enter
2. Disable javascript on your Browser and visit vulnerable page
.
Two methods above will remove tinymce filter after that you can insert any script or HTML tag in your entry :D
> application:
> https://webmail.domain.tld/exchweb/bin/auth/owalogon.asp?url=
> https://webmail.domain.tld/[...]
>
> Microsoft also states correctly, that after the attack, the browser
> will no longer show the correct URL of the OWA in the address bar.
> The SSL certificate will also change or not be present anymore at
> all, depending on whether the attacker's page is encrypted or not.
>
> Timeline:
> ---------
- Keep za_crasher_proxy.exe running on System A.
- Launch IE on System B. It will goto
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
- Stop it and type any other web URL in the address bar. IE tries to locate that URL via the set proxy IP and port.
Sniffed Output :
00000000 17 24 0A 20 00 1A A9 D8 81 88 13 80 00 00 00 00 .$. ....
incorrect file when opening it. Since this attack requires local
access to the victim's machine, the severity of this vulnerability
was determined to be low (CVE-2009-3274).
Security researcher Paul Stone reported that a user's form history,
both from web content as well as the smart location bar, was vulnerable
to theft. A malicious web page could synthesize events such as mouse
focus and key presses on behalf of the victim and trick the browser
into auto-filling the form fields with history entries and then
reading the entries (CVE-2009-3370).
%2fxss%2ejs><%5c%2fscript>')%3b<%2fscript>a:x@[host]/
* This is specially dangerous if launched against Firefox. In
order to protect the password from prying eyes, Firefox entirely
hides what comes before the at (@) character and then only the
host name remains visible in the address bar. Firefox will also
resubmit the auth credentials everytime the host is visited
during the current browser session (unless new credentials are
supplied).
* User must be already logged in (via /~login) and the current
Ok, I'm missing it, what exactly is the spoof here? When the popup comes up
for me, the address of the page is
http://www.google.com.ar/#www.microsoft.com and I see in the address bar
#www.microsoft.com.
If I'm understanding the wording below correctly, it's because the # keeps
the browser from interpreting Microsoft.com and thus giving a bad URL, and
presumably, the browser cannot or does not have the ability to show the full
address (and perhaps in other browsers or scenarios people don't see the #
like I did - and also don't realize that the browser always prefixes it's
There exist two seperate security issues in Mozilla Firefox concerning
JavaScript prompts appearing from domain which is not the true origin.
The first is about spawning JavaScript prompted message over web page of
another domain, so in effect, the address bar and the browser content
are from one domain, but the prompted JavaScript message is generated by
script from another different domain. This is resulted from a race
condition scenario, in which the browser is first navigated to URL of
another domain, then before it's loaded, immediately launch JavaScript
message prompting, so JavaScript message is displayed over a web page
other than its origin web page. The issue here only affects Firefox, and
David James discovered that the window.opener property allows Chrome
privilege escalation.
CVE-2009-3985:
Jordi Chanel discovered a spoofing vulnerability of the URL location bar
using the document.location property.
CVE-2009-3984:
Jonathan Morgan discovered that the icon indicating a secure connection
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4225
https://issues.rpath.com/browse/RPL-1615
Description:
Previous versions of the kdebase and kdelibs packages permit multiple
URL address-bar spoofing attacks against the konquerer web browser.
Copyright 2007 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html
======
These vulnerabilties allow remote attackers to execute arbitrary code,
to run scripts injected into Opera's History Search with elevated
privileges, to inject arbitrary web script or HTML into web pages, to
manipulate the address bar, to change Opera's preferences, to determine
the validity of local filenames, to read cache files, browsing history,
and subscribed feeds or to conduct other attacks.
Workaround
==========
application:
https://webmail.domain.tld/exchweb/bin/auth/owalogon.asp?url=
https://webmail.domain.tld/[...]
Microsoft also states correctly, that after the attack, the browser
will no longer show the correct URL of the OWA in the address bar.
The SSL certificate will also change or not be present anymore at
all, depending on whether the attacker's page is encrypted or not.
Timeline:
---------
incorrect file when opening it. Since this attack requires local
access to the victim's machine, the severity of this vulnerability
was determined to be low (CVE-2009-3274).
Security researcher Paul Stone reported that a user's form history,
both from web content as well as the smart location bar, was vulnerable
to theft. A malicious web page could synthesize events such as mouse
focus and key presses on behalf of the victim and trick the browser
into auto-filling the form fields with history entries and then
reading the entries (CVE-2009-3370).
CVE-2009-3078
Juan Pablo Lopez Yacubian discovered that incorrent rendering of
some Unicode font characters could lead to spoofing attacks on
the location bar.
For the stable distribution (lenny), these problems have been fixed
in version 1.9.0.14-0lenny1.
As indicated in the Etch release notes, security support for the
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2009-2654
Juan Pablo Lopez Yacubian discovered that incorrect handling of invalid
URLs could be used for spoofing the location bar and the SSL certificate
status of a web page.
Xulrunner is no longer supported for the old stable distribution (etch).
For the stable distribution (lenny), this problem has been fixed in
your mail looks like this...
http://seclists.org/fulldisclosure/2007/Jul/0288.html
http://seclists.org/fulldisclosure/2007/Jul/0290.html
you only put your ayes on the status bar, but the data URL scheme address bar spoofing on firefox isn't your discovering
incorrect file when opening it. Since this attack requires local
access to the victim's machine, the severity of this vulnerability
was determined to be low (CVE-2009-3274).
Security researcher Paul Stone reported that a user's form history,
both from web content as well as the smart location bar, was vulnerable
to theft. A malicious web page could synthesize events such as mouse
focus and key presses on behalf of the victim and trick the browser
into auto-filling the form fields with history entries and then
reading the entries (CVE-2009-3370).
|
