Mozilla Firefox up to 1.0.6 and Mozilla Thunderbird up to 1.0 url string obfuscation

["Marc Ruef" <maru () scip ch>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear lists,

During a web application audit for a customer I detected a design error in the applications of the Mozilla suite. I was 
testing very long URL requests what I am usually do with a terminal emulation (e.g. Telnet or NetCat) or tools as like 
Mini-Browser. After I have found a suspicous computation of my input at server side I tried to validate this one with 
my web browser. Since the 0.9 release my default browser is Mozilla Firefox, currently running in the up-to-date 
version 1.0.6.

After I have entered the _very_ long URL (approx. 5.474 chars) in the address bar of the browser the whole line went 
blank. I was not able to see my input - It looked like deleted, empty. But I was sure the input chars where there 
because I was able to scroll the blinking cursor thru the line. A partial or fully selection of the URL made it visible 
again. It seems that the text color switched to white so it is not possible to see it on the white background color of 
the address bar combobox. I used something like "http://www.scip.ch/?aaa[lot_more_a's]aaa"; as input string. It is not 
needed to press enter to see the effect. Just put such a long line into the specified field.

Then I tried to send an example URL to my private mail account to test this behavior at my home installation. My whole 
personal mail traffic is handled by Mozilla Thunderbird 1.0 so it was not really a surprise the same problem where 
given there too. The enormous long line of input of the mail body switched also to the same effect.

My testing at home, also a Microsoft Windows XP with the latest service pack and patches, has confirmed the bug. But 
the length of the long lines where different. I have had to put 65.535 chars in a line to get the same effect. Other 
Mozilla applications and every input field has not been tested. Also a testing with such long lines in HTML documents 
(e.g. as a link) were not positive. Is anybody able to confirm the problem in their environment too?

The security threat of this may be given indirectly. An attacker may be able to use this vulnerability to obfuscate the 
real target of a link or the current address bar entry of a web site. This may be lead to realize technically supported 
social engineering attacks (e.g. phishing). Users should always check the location of a ressource twice if it seems not 
requested or suspicous in any way. And the Mozilla team should check their solutions to provide a small bugfix for this 
problem.

A german version of this posting can be found at http://www.computec.ch/mruef/ and the entry in the german vulnerabiliy 
by scip AG is at http://www.scip.ch/cgi-bin/smss/showadvf.pl?id=1682

Regards,

Marc Ruef

- -- 
) scip AG (
Technoparkstr. 1
8005 Zürich
T +41 1 445 18 18 
F +41 1 445 18 19

maru () scip ch
www.scip.ch

- - Aktuellste IT-Sicherheitsluecken -

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: http://www.scip.ch

iQA/AwUBQviuMRe5hzJzqVMhEQK5GQCg4XqBtH5zBG3Bbcp0AlstrlCnaGkAoIHi
COKFYbxYuY9WvAnviqJRVyoM
=x9MD
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/