OR '' = ''
Sanitising single quotations has been pre-school stuff since whenever
How embarrasing for all the FF fanboiz who stamp their feet about IE vulns
Flaws in the way the latest version of Mozilla Firefox presents authentication dialog boxes leave the door open for cybercrooks to trick users into handing over login credentials, a leading security researcher warns. The spoofing weakness - discovered by Israeli security researcher Aviv Raff - involves a failure by the open …
Correct me if I'm wrong (there's a fair chance hence my cowardice) but the RFC indicates that the Realm value is a quoted-string; it's acceptable to use single quotes and white-space in a quoted-string (see RFC 822 - I've got hugs for you if you were born in the 80s).
Now although you can use this to exploit user's stupidity isn't Firefox simply being compliant and following the standards?
It's similar to using www.vvaterstones.com instead of www.waterstones.com (first has 2 vs) annoying but to solve it would require a complete change of the process.
/Am I holding the smelly end?
At least we don't have to wait until the 2nd Tuesday in February for a patch.
But that aside - I agree with "So, basically ... " Who in their right mind would enter their details into a popup that is sourced from a link from a different site - I say this to everyone who asks about phishing, always type the address yourself (or use your bookmarks) when going to a shopping site/banking site/email etc. - or don't click on a link from somewhere else (i.e. another site or your email!!)
The real issue is that Firefox is not displaying the given realm-value in any sort of way that allows easy discrimination between what the site provided and what Firefox is wrapping around it.
As for "sanitizing" the realm value, RFC 822 is quite clear, quoted-string can include spaces and quotes. RFC 2069 and RFC 2617 both state that realm-value is a quoted-string. Sanitizing the string would therefore make Firefox non-compliant with said standards.
So Firefox seems to be correctly following the standards, but it could make things clearer about what has been provided by the website as the realm name. Which means that Mr Raff's "problem" and "solution" would seem to be more geared towards attracting press attention (successfully it seems) rather than actually fixing the real issue that Firefox isn't making a dramatic visual distinction between the provided realm-value and the rest of the authentication text.
So no, not quite as embarrassing as Mr. Millar would have us believe.
I think the issue is that:
"Google Account (https://www.google.com)'' Certified by Verisign: blahblah click ''Certificate"
is a VALID realm! ( I think...)
Firefox SHOULDN'T sanitise this... Although FF could display things a little better to make it clear which site you're giving details to.
But imho FF hasn't really got a security bug; more of a layout/clarity issue.
:)
The example dialog says:
>>> Enter username and password for "Google Account (https://www.google.com)" Certified by Verisign Inc. Get more information by clicking "Certificate" at http://avivraff.com
The spoof (phishing) domain name, http://avivraff.com, is still visible in the message. The presentation could be improved to make it less convincing though:
>>> The server http://avivraff.com [blurb about any SSL certificate] is asking for a user name and password for "Google Account [blah blah ]".
But how often does a site use HTTP AUTH, rather than using a login form of its own and cookies? Basically never. A user who is used to a login form on the page is less likely to be taken in by this dialog.
If you're stupid enough to enter your bank/email details into a popup on facebook, then you deserve to have your account cleaned out. It was forgiveable when these sorts of attacks were shiny and new but now everyone should be aware of them.
having a couple of grand transferred out of your account would be a lesson you wouldn't soon forget.
>> It's similar to using www.vvaterstones.com instead of www.waterstones.com (first
>> has 2 vs) annoying but to solve it would require a complete change of the
>> process.
I see what you mean, it is a bit like being fooled into thinking w\/\/Ш.7#er3$t3®.(0.√k is www.theregister.co.uk (some characters have been subtly altered - see if you can figure out which ones, if you have a few hours to spare).
Lets just go back to HTML 3, no active scripting, whether Java or ActiveX, and certainly no Flash (wasn't that a heavy duty detergent for cleaning the kitchen floors?). In fact just plain words and pictures.
No, I am being serious. I am absolutely pissed off with Web2.0 designers finding ever more inventive ways of making me insecure. In fact, I am thinking of upgrading from Firefox to OffByOne as my principal browser. And if your web site doesn't work? Well tough, there are plenty that do.
No coat to take.
That people are too stupid to read what's displayed on the screen.
Somehow, I tend to doubt that this particular problem could be laid at the feet of the FF dev team; nor even the IE dev team (although that lot seem to have gotten their degrees entirely in Marketing, and picked up coding as a hobby...).