Scovetta Labs Security Advisory

 Title:         IDN Feature Workaround via proxy.pac
 Status:        Public
 Release Date:  2005-02-08

 Package:       Web Browsers
 Vendor:        Mozilla -
                Opera -
 Priority:      High
 Vulnerability: IDN Allows Domain Spoofing

Affected Versions:

 Firefox 1.0 is vulnerable
 Most other modern browsers (except IE) have been reported vulnerable

Background: (from official advisory [1])

 International Domain Name [IDN] support in modern browsers allows 
 attackers to spoof domain name URLs + SSL certs.


 See description [1].


 See exploit [1].

 A browser-level fix for this vulnerability is to create a proxy.pac
 (auto-configuration) file, containing the following text:

function FindProxyForURL(url, host){
  // valid characters, add more as you find you need them
  var validChars = "abcdefghijklmnopqrstuvwxyz0123456789.-";
  for (i=0; i<host.length; i++) {
    if (validChars.indexOf(host[i]) == -1) {
      alert('Invalid character(s) in host name.');
      return "PROXY";

See [3] for the full proxy.pac file.
See [4] for a walk-through (for beginners).

This workaround is pretty simple in concept. It tests all characters
in the host name to make sure they're valid, and then if any are
found that aren't valid, then directs the browser to a fake proxy
server (which means the address can't resolve.

2005-02-10: Revision
 The host[i] reference is not valid with Internet Explorer. This line
 must be changed from:
    if (validChars.indexOf(host[i]) == -1) {
    if (validChars.indexOf(host.charAt(i)) == -1) {
 The IDNproxy.pac file has been updated also. Apologies for the bug.

2005-02-10: Revision
 The script does not check for capitalized letters. Therefore, going
 to would be stopped. I am now converting 
 the host to lowercase and using that instead.
Vendor Response:

 See vendor response [1]

Revision History
2005-02-08: Public Release [2]
2005-02-10: Minor change in work-around, lower-case hostname forcing


 Discovery of the vulnerability to Eric Johanson (
 Proxy.pac workaround to Michael V. Scovetta
 Thanks to Peter Pramberger for pointing out flaw (see revision above)




 The content of this report is purely informational and meant only 
 for the purpose of education and protection. Scovetta Labs and 
 Michael Scovetta shall in no event be liable for any damage 
 whatsoever, direct or implied, arising from use or spread of this 
 information. All identifiers (hostnames, IP addresses, company names, 
 individual names etc.) used in examples and demonstrations are used 
 only for explanatory purposes and have no connection with any real 
 host, company or individual. In no event should it be assumed that 
 use of these names means specific hosts, companies or individuals 
 are vulnerable to any attacks nor does it mean that they consent to 
 being used in any vulnerability tests. The use of information in 
 this report is entirely at user's risk.

 (c) 2005 Michael Scovetta. Forwarding and publishing of this document 
 is permitted providing the content between "[BEGIN-SCL-REPORT]" and
 "[END-SCL-REPORT]" marks remains unchanged.

=====[END-SCL-REPORT]===== is a personal website. Opinions expressed are my own, and not those of my employer or any groups I am affiliated with.
Page Tools
print Bookmark and Share
Social Networking
twitter delicious digg reddit
linkedin keys email comments