| View previous topic :: View next topic |
| Author |
Message |
gentoo_lan
l33t
Joined: 08 Sep 2004
Posts: 891
Location: Charles Town, WV
|
|
| Back to top |
|
 |
Flammie
Retired Dev
Joined: 02 Jun 2003
Posts: 633
Location: Dublin, Ireland
|
 Posted: Tue Feb 08, 2005 6:38 pm Post subject: |
 |
|
| This is a new vulnerability? I've known this quite some time (ok, I didn't exactly think anyone'd use the technique to spoof web addresses, but anyways), I think I even reported a tangentially related bug once, since mozilla's punycode handling has been flawed for a long time now (I actually found it out when testing http://lohikäärme.dyndns.org for my web address, it must be at least year ago). |
|
| Back to top |
|
|
wdreinhart
Guru
Joined: 11 Jun 2003
Posts: 569
Location: 4QFJ12345678
|
| Posted: Tue Feb 08, 2005 8:16 pm Post subject: |
|
|
| The really nasty part is you can turn IDN handling off in about:config, but it will be silently turned back on the next time you open mozilla. Yuck. |
|
| Back to top |
|
|
Pink
Veteran
Joined: 24 Jul 2003
Posts: 1062
|
|
| Back to top |
|
|
gentoo_lan
l33t
Joined: 08 Sep 2004
Posts: 891
Location: Charles Town, WV
|
| Posted: Tue Feb 08, 2005 10:23 pm Post subject: |
|
|
Here is a temporary workaround for linux...of course any time you install a new plugin you will have to redo it:
| Quote: | Here's a workaround for linux, I'm sure there's something similar in other
os's, but I don't have access to them to look. This does disable all idn
service lookups as far as I can tell. This should help with the security
issue at the moment until a more feasible solution can be found.
open a terminal and type...
$ cd ~/.mozilla/firefox/
in that folder will be another folder where the name will depend on your
profile name, if you used to default, the folder will be
foobar.default
change to the *.default folder and type...
$ vim (or vi, kvim, gvim, scite, etc) compreg.dat
now use vi's search function by typing....
/idn-service;1
You will find two locations that match it, highlight the 1 with the cursor,
and use the 'r' key to replace the 1 with a 0.
Do this for both locations, then go back to www.schmoo.com/idn and test, and
it won't allow you to navigate to the page. I've tried testing it on a few
fake sites and it doesn't allow navigation to them. |
|
|
| Back to top |
|
|
tecknojunky
Veteran
Joined: 19 Oct 2002
Posts: 1937
Location: Montréal
|
| Posted: Wed Feb 09, 2005 5:30 am Post subject: |
|
|
| gentoo_lan wrote: | Here is a temporary workaround for linux...
| Quote: | | Here's a workaround for linux, I'm sure there's something similar in other os's, but I don't have access to them to look. |
|
On Windows, the work around for this is easy... use IE  . 
_________________
(7 of 9) Installing star-trek/species-8.4.7.2::talax. |
|
| Back to top |
|
|
Mnemia
Guru
Joined: 17 May 2002
Posts: 476
|
| Posted: Wed Feb 09, 2005 5:44 am Post subject: |
|
|
| I noticed you can see the real site address if you choose "View > Page Source". Until they fix this I imagine I'll be paranoid about checking that. |
|
| Back to top |
|
|
kallamej
Administrator
Joined: 27 Jun 2003
Posts: 4975
Location: Gothenburg, Sweden
|
| Posted: Wed Feb 09, 2005 8:45 am Post subject: |
|
|
Moved from Off the Wall, please follow up to the above mentioned thread.
_________________
Please read our FAQ Forum, it answers many of your questions.
irc: #gentoo-forums on irc.libera.chat |
|
| Back to top |
|
|
|
Duplicate Threads
