100081 – SECURITY: Konqueror vulnerable to URL spoofing using Unicode/UTF8

Bug 100081 - SECURITY: Konqueror vulnerable to URL spoofing using Unicode/UTF8

Summary: SECURITY: Konqueror vulnerable to URL spoofing using Unicode/UTF8

Status:	RESOLVED DUPLICATE of bug 98788

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	general (show other bugs)
Version:	3.3.2
Platform:	unspecified Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2005-02-23 14:37 UTC by Jens
Modified:	2005-02-23 14:59 UTC (History)
CC List:	0 users

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Jens 2005-02-23 14:37:23 UTC

Version:           3.3.2 (using KDE 3.3.2 Level "a" , unofficial build of SUSE )
Compiler:          gcc version 3.3.3 (SuSE Linux)
OS:                Linux (i686) release 2.6.5-7.145-default

When using links like

<a href='http://www.p&#1072;ypal.com/'>paypal.com</a>

Konqueror will (correctly) display "www.paypal.com" in the addressbar and the status bar (during mouseover), but the link will actually go to

   www.xn--pypal-4ve.com

(an IDN domain). This is a principle problem of international domain names, I guess. Perhaps the un-decoded name should also be displayed.

Firefox and Mozilla will disable IDN support by default from the next version, because of this: http://news.netcraft.com/archives/2005/02/15/firefox_to_disable_idn_support_as_phishing_defense.html


Thanks,

Jens

Comment 1 Daniel Teske 2005-02-23 14:44:33 UTC


*** This bug has been marked as a duplicate of 98788 ***

Comment 2 Jens 2005-02-23 14:59:52 UTC

Whoops. I explicitly searched the KDE bug DB even for "paypal.com" and did not find this bug. Sorry to waste your time. =)