Mozilla Firefox Encoded Status Bar Spoofing Weakness
BID:25196
Info
Mozilla Firefox Encoded Status Bar Spoofing Weakness
| Bugtraq ID: | 25196 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 03 2007 12:00AM |
| Updated: | Aug 06 2007 05:44PM |
| Credit: | Michal Bucko is credited with discovering this weakness. |
| Vulnerable: |
Mozilla Firefox 2.0 .6 |
| Not Vulnerable: | |
Discussion
Mozilla Firefox Encoded Status Bar Spoofing Weakness
Mozilla Firefox is prone to a weakness that may allow an attacker to obfuscate a malicious link.
By obfuscating the true destination of a malicious link, the attacker may be able to launch further attacks.
Mozilla Firefox 2.0.0.6 is vulnerable; other versions may also be affected.
NOTE: Further reports and investigation suggest that this weakness may not be an issue. Some argue that the status bar is not meant to provide a reliable indication of the destination; this problem may be a generic flaw in web browsers.
Mozilla Firefox is prone to a weakness that may allow an attacker to obfuscate a malicious link.
By obfuscating the true destination of a malicious link, the attacker may be able to launch further attacks.
Mozilla Firefox 2.0.0.6 is vulnerable; other versions may also be affected.
NOTE: Further reports and investigation suggest that this weakness may not be an issue. Some argue that the status bar is not meant to provide a reliable indication of the destination; this problem may be a generic flaw in web browsers.
Exploit / POC
Mozilla Firefox Encoded Status Bar Spoofing Weakness
An attacker may exploit this issue by enticing victims into visiting a malicious site.
The following proof of concept is available:
http://www.eleytt.com/michal.bucko/Eleytt_PhishAGoGo/bucked2.html
An attacker may exploit this issue by enticing victims into visiting a malicious site.
The following proof of concept is available:
http://www.eleytt.com/michal.bucko/Eleytt_PhishAGoGo/bucked2.html
Solution / Fix
Mozilla Firefox Encoded Status Bar Spoofing Weakness
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].
References
Mozilla Firefox Encoded Status Bar Spoofing Weakness
References:
References:
- Mozilla Homepage (Mozilla Foundation)
- [ELEYTT] 3SIERPIEN2007 ([email protected])