lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 13 Jun 2007 04:15:56 +0300
From: Trancer <mtrancer@...il.com>
To: cardoso <cardosolistas@...traditorium.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Apple Safari for Windows feed:// URL Denial
 of Service Vulnerability

I spent about 2 minutes until I found this.

Worse then Windows Me and Microsoft Bob?! Now you're just being mean :-)

cardoso wrote:
> Are you sure it's wise to waste resources poking  Safari/Windows in
> search of flaws?
>
> The thing DOS itself, my machine (vista home premium, braz. portuguese
> edition) can't run Safari for more than a few minutes, less, if I try do
> actually open a website. 
>
> I'm an Apple fanboy, proud owner of a Macbook, but I think this
> abomination is the worst piece of software I ever installed, including
> Windows Me and Microsoft Bob. 
>
>
> On Wed, 13 Jun 2007 03:42:02 +0300
> Trancer <mtrancer@...il.com> wrote:
>
>   
>> Apple Safari for Windows feed:// URL Denial of Service Vulnerability
>>
>> Versions: Apple Safari For Windows 3 Beta
>>
>> Apple Safari for Windows is prone to a denial-of-service vulnerability 
>> because it fails to properly handle crafted feed:// link.
>>
>> Proof-of-Concept: .
>> Link: feed://%
>> Exploit: <a href="feed://%">DoS</a>
>> Yes, this will crash Safari. Yes, it's that easy.
>> Note that this doesn't work with http://, ftp://, gopher:// and etc'.
>>
>> Reference:
>> http://www.rec-sec.co.il/2007/06/12/apple-safari-for-windows-vulnerabilities/#exp
>>
>> Credit:
>> Moshe Ben-Abu of BugSec is credited with discovering this vulnerability.
>>
>> Vendor has been notified.
>>
>> -- 
>> Moshe Ben-Abu :: Trancer
>> 0nly Human...
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>     
>
> -------------------------------------------------------------
> Carlos Cardoso
> http://www.carloscardoso.com <== blog semi-pessoal
> http://www.contraditorium.com <== ProBlogging e cultura digital
>
> "You lost today, kid. But that doesn't mean you have to like it"
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>   


-- 
Moshe :: Trancer
0nly Human...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists