Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [SA25663] Microsoft Internet Explorer 7 HTTP Basic Authentication IDN Spoofing



> 
> TITLE:
> Microsoft Internet Explorer 7 HTTP Basic Authentication IDN Spoofing
> 
> SECUNIA ADVISORY ID:
> SA25663
> 
> VERIFY ADVISORY:
> http://secunia.com/advisories/25663/
> 
> CRITICAL:
> Not critical
> 
> IMPACT:
> Spoofing
> 
> WHERE:
> From remote
> 
> SOFTWARE:
> Microsoft Internet Explorer 7.x
> http://secunia.com/product/12366/
> 
> DESCRIPTION:
> A weakness has been discovered in Internet Explorer 7, which can be
> exploited by malicious people to conduct spoofing attacks.
> 
> The problem is caused due to an unintended result of the IDN
> (International Domain Name) implementation in the HTTP Basic
> Authentication dialog. This can be exploited to spoof a server in the
> authentication dialog using international characters in domain names
> when a user visits a malicious web page.
> 
> The weakness is confirmed in Internet Explorer 7 on a fully patched
> Windows XP. Other versions may also be affected.
> 
> SOLUTION:
> Do not provide user credential to suspicious authentication dialogs.
> 
> PROVIDED AND/OR DISCOVERED BY:
> Alex
> 
> ORIGINAL ADVISORY:
> http://www.bitsploit.de/archives/428-Cross-Domain-Basic-Auth-P
> hishing-Tactics.html
> 
> OTHER REFERENCES:
> http://ha.ckers.org/blog/20070608/cross-domain-basic-auth-phis
> hing-tactics/
> 



 




Copyright © Lexa Software, 1996-2009.