Firefox 2.0.0.1 Phishing Protection bypass

+ Subject:
Firefox 2.0.0.1 Phishing Protection bypass

+ Version:
Firefox 2.0.0.1 [ Linux | Windows ]

+ Discovered by:
Kanedaaa: http://kaneda.bohater.net

+ Phishing Protection Description:
Phishing Protection takes Firefoxs security to a new level, helping to safeguard your financial information and protect you from identity theft. When you encounter a Web site that is a suspected forgery (known as a phishing site) Firefox will warn you and offer to take you to a search page so you can find the real Web site you were looking for.

+ Bypass Description:
It is possible to bypass Phishing Protection by add some characters to URL address. URL will be still valid and will work properly but we are not aware of Phishing warning.

When we add "/" char at the end of domain in URL field - for Phishing Protection it will be another site than original and Phishing Protection Test will fail. Example: When my URL is on Phishing List: http://kaneda.bohater.net/phish.html - warning will be displayed

http://kaneda.bohater.net//phish.html - warning will NOT be displayed

Of course we can add more "/".

Like live shows [Firefox HexEncoding Anti-Phishing bypass URL: http://sla.ckers.org/forum/read.php?13,2253 ] Phishers can use this technique in near future to abusive actions.

Timeline:
2007.01.09 bug discovered
2007.01.19 "/" bug sended to http://bugzilla.mozilla.org [Bug 367538]
2007.01.19 answer from Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=367538
2007.02.06 posted to Bugtraq

Original Advisory: http://kaneda.bohater.net/security/20070111-firefox_2.0.0.1_bypass_phishing_protection.php