lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Jun 2007 04:15:56 +0300 From: Trancer <mtrancer@...il.com> To: cardoso <cardosolistas@...traditorium.com> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Apple Safari for Windows feed:// URL Denial of Service Vulnerability I spent about 2 minutes until I found this. Worse then Windows Me and Microsoft Bob?! Now you're just being mean :-) cardoso wrote: > Are you sure it's wise to waste resources poking Safari/Windows in > search of flaws? > > The thing DOS itself, my machine (vista home premium, braz. portuguese > edition) can't run Safari for more than a few minutes, less, if I try do > actually open a website. > > I'm an Apple fanboy, proud owner of a Macbook, but I think this > abomination is the worst piece of software I ever installed, including > Windows Me and Microsoft Bob. > > > On Wed, 13 Jun 2007 03:42:02 +0300 > Trancer <mtrancer@...il.com> wrote: > > >> Apple Safari for Windows feed:// URL Denial of Service Vulnerability >> >> Versions: Apple Safari For Windows 3 Beta >> >> Apple Safari for Windows is prone to a denial-of-service vulnerability >> because it fails to properly handle crafted feed:// link. >> >> Proof-of-Concept: . >> Link: feed://% >> Exploit: <a href="feed://%">DoS</a> >> Yes, this will crash Safari. Yes, it's that easy. >> Note that this doesn't work with http://, ftp://, gopher:// and etc'. >> >> Reference: >> http://www.rec-sec.co.il/2007/06/12/apple-safari-for-windows-vulnerabilities/#exp >> >> Credit: >> Moshe Ben-Abu of BugSec is credited with discovering this vulnerability. >> >> Vendor has been notified. >> >> -- >> Moshe Ben-Abu :: Trancer >> 0nly Human... >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > ------------------------------------------------------------- > Carlos Cardoso > http://www.carloscardoso.com <== blog semi-pessoal > http://www.contraditorium.com <== ProBlogging e cultura digital > > "You lost today, kid. But that doesn't mean you have to like it" > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -- Moshe :: Trancer 0nly Human... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists