lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 02 Mar 2009 22:29:39 -0500
From: bobby.mugabe@...hmail.com
To: full-disclosure@...ts.grok.org.uk, nick@...us-l.demon.co.uk
Subject: Re: Apple Safari ... DoS Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Nick,

You and Thierry Loller are wrong.

- -bm

On Mon, 02 Mar 2009 21:28:17 -0500 Nick FitzGerald <nick@...us-
l.demon.co.uk> wrote:
>Chris Evans to Thierry Zoller:
>
>> > Example
>> > If a chrome tab can be crashed arbritarely (remotely) it is a
>DoS attack
>> > but with ridiculy low impact to the end-user as it only
>crashes the tab
>> > it was subjected to, and not the whole browser or operation
>system.
>> > But the fact remains that this was the impact of a DoS
>condition,
>> > the tab crashes arbritarily.
>>
>> Eh? If you visit www.evil.com and your tab crashes, that's no
>> different from www.evil.com closing its own tab with Javascript.
>
>But what if www.evil.com has run an injection attack of some kind
>(SQL,
>XSS in blog comments, etc, etc) against www.stupid.com?
>
>Visitors to stupid.com then suffer a DoS...
>
>Yes, stupid.com should run their site better, fix their myriad XSS
>holes,
>etc, etc.
>
>But this is the Internet, so this "software flaw" can be leveraged
>as
>security vulnerability.
>
>I'm with Thierry on this...
>
>
>Regards,
>
>Nick FitzGerald
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkmso8YACgkQhNp8gzZx3sj93AP/a+oFmgLbU2Elo0livpG3c6Qvh8+0
b69LocD4LJmaR3NR4H7AHZYJiqm1TegwdTvtgY4sZd0lXi5EKZYTJMl9tj2Pd53fxXFm
7eK5yf6oRGggrdOLyDjRkMV3bVnOppwXviMHdk8quxx8sDRxA99ZlKKUA40RXFa5eAhp
UpXIZ1s=
=zgqd
-----END PGP SIGNATURE-----

--
Become a medical transcriptionist at home, at your own pace.
 http://tagline.hushmail.com/fc/BLSrjkqfMmg6RbMKs4GE43pzNkcKJRWafc7cDXj4iASDyccuLtQA2i9f1le/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ