Bug 100081

Summary: SECURITY: Konqueror vulnerable to URL spoofing using Unicode/UTF8
Product: [Applications] konqueror Reporter: Jens <jens-bugs.kde.org>
Component: generalAssignee: Konqueror Bugs <konqueror-bugs-null>
Status: RESOLVED DUPLICATE    
Severity: normal    
Priority: NOR    
Version First Reported In: 3.3.2   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Jens 2005-02-23 14:37:23 UTC 
Version:           3.3.2 (using KDE 3.3.2 Level "a" , unofficial build of SUSE )
Compiler:          gcc version 3.3.3 (SuSE Linux)
OS:                Linux (i686) release 2.6.5-7.145-default

When using links like

<a href='http://www.p&#1072;ypal.com/'>paypal.com</a>

Konqueror will (correctly) display "www.paypal.com" in the addressbar and the status bar (during mouseover), but the link will actually go to

   www.xn--pypal-4ve.com

(an IDN domain). This is a principle problem of international domain names, I guess. Perhaps the un-decoded name should also be displayed.

Firefox and Mozilla will disable IDN support by default from the next version, because of this: http://news.netcraft.com/archives/2005/02/15/firefox_to_disable_idn_support_as_phishing_defense.html


Thanks,

Jens
Comment 1 Daniel Teske 2005-02-23 14:44:33 UTC 

*** This bug has been marked as a duplicate of 98788 ***
Comment 2 Jens 2005-02-23 14:59:52 UTC 
Whoops. I explicitly searched the KDE bug DB even for "paypal.com" and did not find this bug. Sorry to waste your time. =)