lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 2 Mar 2009 23:41:53 -0500
From: "Valdis' Mustache" <security.mustache@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Apple Safari ... DoS Vulnerability

I would like to point out that I have been able to create a "hung"
state in the Firefox browser by opening 30 simultaneous tabs pointed
at http://www.welcometointernet.org/lawnmower/ and adding a 31st tab
viewing http://www.hotrussianbrides.com.

Also, I am not amused.


Your humble servant,
Ze Mustache von Kletnieks

On Mon, Mar 2, 2009 at 10:29 PM,  <bobby.mugabe@...hmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dear Nick,
>
> You and Thierry Loller are wrong.
>
> - -bm
>
> On Mon, 02 Mar 2009 21:28:17 -0500 Nick FitzGerald <nick@...us-
> l.demon.co.uk> wrote:
>>Chris Evans to Thierry Zoller:
>>
>>> > Example
>>> > If a chrome tab can be crashed arbritarely (remotely) it is a
>>DoS attack
>>> > but with ridiculy low impact to the end-user as it only
>>crashes the tab
>>> > it was subjected to, and not the whole browser or operation
>>system.
>>> > But the fact remains that this was the impact of a DoS
>>condition,
>>> > the tab crashes arbritarily.
>>>
>>> Eh? If you visit www.evil.com and your tab crashes, that's no
>>> different from www.evil.com closing its own tab with Javascript.
>>
>>But what if www.evil.com has run an injection attack of some kind
>>(SQL,
>>XSS in blog comments, etc, etc) against www.stupid.com?
>>
>>Visitors to stupid.com then suffer a DoS...
>>
>>Yes, stupid.com should run their site better, fix their myriad XSS
>>holes,
>>etc, etc.
>>
>>But this is the Internet, so this "software flaw" can be leveraged
>>as
>>security vulnerability.
>>
>>I'm with Thierry on this...
>>
>>
>>Regards,
>>
>>Nick FitzGerald
>>
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>Hosted and sponsored by Secunia - http://secunia.com/
> -----BEGIN PGP SIGNATURE-----
> Charset: UTF8
> Version: Hush 3.0
> Note: This signature can be verified at https://www.hushtools.com/verify
>
> wpwEAQMCAAYFAkmso8YACgkQhNp8gzZx3sj93AP/a+oFmgLbU2Elo0livpG3c6Qvh8+0
> b69LocD4LJmaR3NR4H7AHZYJiqm1TegwdTvtgY4sZd0lXi5EKZYTJMl9tj2Pd53fxXFm
> 7eK5yf6oRGggrdOLyDjRkMV3bVnOppwXviMHdk8quxx8sDRxA99ZlKKUA40RXFa5eAhp
> UpXIZ1s=
> =zgqd
> -----END PGP SIGNATURE-----
>
> --
> Become a medical transcriptionist at home, at your own pace.
>  http://tagline.hushmail.com/fc/BLSrjkqfMmg6RbMKs4GE43pzNkcKJRWafc7cDXj4iASDyccuLtQA2i9f1le/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ