View previous topic :: View next topic |
Author |
Message |
gentoo_lan l33t
Joined: 08 Sep 2004 Posts: 891 Location: Charles Town, WV
|
|
Back to top |
|
|
Flammie Retired Dev
Joined: 02 Jun 2003 Posts: 633 Location: Dublin, Ireland
|
Posted: Tue Feb 08, 2005 6:38 pm Post subject: |
|
|
This is a new vulnerability? I've known this quite some time (ok, I didn't exactly think anyone'd use the technique to spoof web addresses, but anyways), I think I even reported a tangentially related bug once, since mozilla's punycode handling has been flawed for a long time now (I actually found it out when testing http://lohikäärme.dyndns.org for my web address, it must be at least year ago). |
|
Back to top |
|
|
wdreinhart Guru
Joined: 11 Jun 2003 Posts: 569 Location: 4QFJ12345678
|
Posted: Tue Feb 08, 2005 8:16 pm Post subject: |
|
|
The really nasty part is you can turn IDN handling off in about:config, but it will be silently turned back on the next time you open mozilla. Yuck. |
|
Back to top |
|
|
Pink Veteran
Joined: 24 Jul 2003 Posts: 1062
|
|
Back to top |
|
|
gentoo_lan l33t
Joined: 08 Sep 2004 Posts: 891 Location: Charles Town, WV
|
Posted: Tue Feb 08, 2005 10:23 pm Post subject: |
|
|
Here is a temporary workaround for linux...of course any time you install a new plugin you will have to redo it:
Quote: | Here's a workaround for linux, I'm sure there's something similar in other
os's, but I don't have access to them to look. This does disable all idn
service lookups as far as I can tell. This should help with the security
issue at the moment until a more feasible solution can be found.
open a terminal and type...
$ cd ~/.mozilla/firefox/
in that folder will be another folder where the name will depend on your
profile name, if you used to default, the folder will be
foobar.default
change to the *.default folder and type...
$ vim (or vi, kvim, gvim, scite, etc) compreg.dat
now use vi's search function by typing....
/idn-service;1
You will find two locations that match it, highlight the 1 with the cursor,
and use the 'r' key to replace the 1 with a 0.
Do this for both locations, then go back to www.schmoo.com/idn and test, and
it won't allow you to navigate to the page. I've tried testing it on a few
fake sites and it doesn't allow navigation to them. |
|
|
Back to top |
|
|
tecknojunky Veteran
Joined: 19 Oct 2002 Posts: 1937 Location: Montréal
|
Posted: Wed Feb 09, 2005 5:30 am Post subject: |
|
|
gentoo_lan wrote: | Here is a temporary workaround for linux...
Quote: | Here's a workaround for linux, I'm sure there's something similar in other os's, but I don't have access to them to look. |
| On Windows, the work around for this is easy... use IE . _________________ (7 of 9) Installing star-trek/species-8.4.7.2::talax. |
|
Back to top |
|
|
Mnemia Guru
Joined: 17 May 2002 Posts: 476
|
Posted: Wed Feb 09, 2005 5:44 am Post subject: |
|
|
I noticed you can see the real site address if you choose "View > Page Source". Until they fix this I imagine I'll be paranoid about checking that. |
|
Back to top |
|
|
kallamej Administrator
Joined: 27 Jun 2003 Posts: 4975 Location: Gothenburg, Sweden
|
Posted: Wed Feb 09, 2005 8:45 am Post subject: |
|
|
Moved from Off the Wall, please follow up to the above mentioned thread. _________________ Please read our FAQ Forum, it answers many of your questions.
irc: #gentoo-forums on irc.libera.chat |
|
Back to top |
|
|
|