|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 3498 CVE : CVE-2007-6590 CVE : CVE-2007-6591 CVE : CVE-2007-6592 CVE : CVE-2008-2809 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : Yes Exploit Available : No Credit : Nils Toedtmann Published : 28.12.2007
Advisory Content : Moin * Mozilla based browsers (Firefox, Netscape, ...), Konqueror and Safari 2 do not bind a user-approved webserver certificate to the originating domain name. This makes the user vulnerable to certificate spoofing by "subjectAltName:dNSName" extensions. I set up a demonstration at <http://test.eonis.net/>, check it out. For details (vulnerable versions, vendor status, bug ids ...) see <http://nils.toedtmann.net/pub/subjectAltName.txt> Attack scenario: (1) Assumed a phisher could redirect a user's browser to his prepared https webserver spoofing "www.paypal.com" (by DNS spoofing or domain hijacking or other MITM attack). But the user's browser would raise an "unknown CA" warning because the phisher does not have a certificate for "www.paypal.com" issued by a browser-trusted CA (that's what X.509 and TLS is all about!). Thus, the phisher defers this step. (2) The phisher creates another website "www.example.com" (not spoofed) and a home brewed X.509 cert: DN="CN=www.example.com" subjectAltName:dNSName=www.example.com subjectAltName:dNSName=www.paypal.com and lures the user to https://www.example.com/. The user gets an "unknown CA" warning, but the "subjectAltName:dNSName" extensions are not shown to him, so the cert looks ok. As he does not plan to enter any private information, he accepts it (temporarily or permanently) and proceeds. (3) Any time later (if the cert got accepted temporarily this has to happen within the same session), the phisher lures the user to his spoofed https://www.paypal.com/, using the very same self-signed certificate - NO WARNING! In the end, the cert warning and the spoofing attempt get separated into two events which appear to the user as being unrelated. I consider this a severe cert-spoofing issue, aggravated by the fact that affected browsers also match any hostname with "subjectAltName:dNSName=*". For Mozilla, this issue is known for more than three years without being fixed. Regards, /nils.  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |