Vulnerability CVE-2005-0238


Published: 2005-05-02   Modified: 2008-09-05

Description:
The International Domain Name (IDN) support in Epiphany allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.

Vendor: Opera software
Product: Opera web browser 
Version: 7.54;
Vendor: Omnigroup
Product: Omniweb 
Version: 5;
Vendor: Mozilla
Product: Mozilla 
Version:
1.6
1.5.1
1.5
1.4.4
1.4.2
1.4.1
1.4
1.3.1
1.3
1.2.1
1.2
1.1
1.0.2
1.0.1
1.0
0.9.9
0.9.8
0.9.7
0.9.6
0.9.5
0.9.48
0.9.4.1
0.9.4
0.9.35
0.9.3
0.9.2.1
0.9.2
0.8
Product: Firefox 
Version: 1.0;
Product: Camino 
Version: 0.8.5;
Vendor: Gnome
Product: Epiphany 

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
https://bugzilla.redhat.com/beta/show_bug.cgi?id=147399
http://xforce.iss.net/xforce/xfdb/19236
http://www.shmoo.com/idn/homograph.txt
http://www.shmoo.com/idn
http://www.securityfocus.com/bid/12461
http://lists.grok.org.uk/pipermail/full-disclosure/2005-February/031459.html

Related CVE
CVE-2017-14604
GNOME Nautilus before 3.23.90 allows attackers to spoof a file type by using the .desktop file extension, as demonstrated by an attack in which a .desktop file's Name field ends in .pdf but this file's Exec field launches a malicious "sh -c" command....
CVE-2017-2870
An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send...
CVE-2017-2862
An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file...
CVE-2017-14108
libgedit.a in GNOME gedit through 3.22.1 allows remote attackers to cause a denial of service (CPU consumption) via a file that begins with many '\0' characters.
CVE-2017-1000083
backend/comics/comics-document.c (aka the comic book backend) in GNOME Evince before 3.24.1 allows remote attackers to execute arbitrary commands via a .cbt file that is a TAR archive containing a filename beginning with a "--" command-line option su...
CVE-2015-2675
The OAuth implementation in librest before 0.7.93 incorrectly truncates the pointer returned by the rest_proxy_call_get_url function, which allows remote attackers to cause a denial of service (application crash) via running the EnsureCredentials met...
CVE-2017-11590
There is a NULL pointer dereference in the caseless_hash function in gxps-archive.c in libgxps 0.2.5. A crafted input will lead to a remote denial of service attack.
CVE-2017-11464
A SIGFPE is raised in the function box_blur_line of rsvg-filter.c in GNOME librsvg 2.40.17 during an attempted parse of a crafted SVG file, because of incorrect protection against division by zero.

Copyright 2017, cxsecurity.com

 

Back to Top