[Full-disclosure] Apple Safari: idn urlbar spoofing
jagger at swiecki.net
Mon Jun 25 21:33:19 BST 2007
With a specially crafted web page, an attacker can redirect
a www browser to the page, which URL (on the address bar) resembles an
arbitrary domain choosen by the attacker.
It is possible due to the fact, that apple safari supports
IDNs - http://en.wikipedia.org/wiki/Internationalized_domain_name -
and some of the UTF8 font glyphs embedded in the safari, could be used
to create an URL which contains whitespaces.
The picture taken on my system:
Tested with Apple Safari 3.0.2 (522.13.1) on MS Windows 2003 SE SP2
Full-Disclosure is hosted and sponsored by Secunia.