| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 2 Mar 2009 23:57:27 -0500
From: Jason Starks <jstarks440@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Apple Safari ... DoS Vulnerability
Grow up, really.
On Mon, Mar 2, 2009 at 11:41 PM, Valdis' Mustache <
security.mustache@...il.com> wrote:
> I would like to point out that I have been able to create a "hung"
> state in the Firefox browser by opening 30 simultaneous tabs pointed
> at http://www.welcometointernet.org/lawnmower/ and adding a 31st tab
> viewing http://www.hotrussianbrides.com.
>
> Also, I am not amused.
>
>
> Your humble servant,
> Ze Mustache von Kletnieks
>
> On Mon, Mar 2, 2009 at 10:29 PM, <bobby.mugabe@...hmail.com> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Dear Nick,
> >
> > You and Thierry Loller are wrong.
> >
> > - -bm
> >
> > On Mon, 02 Mar 2009 21:28:17 -0500 Nick FitzGerald <nick@...us-
> > l.demon.co.uk> wrote:
> >>Chris Evans to Thierry Zoller:
> >>
> >>> > Example
> >>> > If a chrome tab can be crashed arbritarely (remotely) it is a
> >>DoS attack
> >>> > but with ridiculy low impact to the end-user as it only
> >>crashes the tab
> >>> > it was subjected to, and not the whole browser or operation
> >>system.
> >>> > But the fact remains that this was the impact of a DoS
> >>condition,
> >>> > the tab crashes arbritarily.
> >>>
> >>> Eh? If you visit www.evil.com and your tab crashes, that's no
> >>> different from www.evil.com closing its own tab with Javascript.
> >>
> >>But what if www.evil.com has run an injection attack of some kind
> >>(SQL,
> >>XSS in blog comments, etc, etc) against www.stupid.com?
> >>
> >>Visitors to stupid.com then suffer a DoS...
> >>
> >>Yes, stupid.com should run their site better, fix their myriad XSS
> >>holes,
> >>etc, etc.
> >>
> >>But this is the Internet, so this "software flaw" can be leveraged
> >>as
> >>security vulnerability.
> >>
> >>I'm with Thierry on this...
> >>
> >>
> >>Regards,
> >>
> >>Nick FitzGerald
> >>
> >>
> >>_______________________________________________
> >>Full-Disclosure - We believe in it.
> >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>Hosted and sponsored by Secunia - http://secunia.com/
> > -----BEGIN PGP SIGNATURE-----
> > Charset: UTF8
> > Version: Hush 3.0
> > Note: This signature can be verified at https://www.hushtools.com/verify
> >
> > wpwEAQMCAAYFAkmso8YACgkQhNp8gzZx3sj93AP/a+oFmgLbU2Elo0livpG3c6Qvh8+0
> > b69LocD4LJmaR3NR4H7AHZYJiqm1TegwdTvtgY4sZd0lXi5EKZYTJMl9tj2Pd53fxXFm
> > 7eK5yf6oRGggrdOLyDjRkMV3bVnOppwXviMHdk8quxx8sDRxA99ZlKKUA40RXFa5eAhp
> > UpXIZ1s=
> > =zgqd
> > -----END PGP SIGNATURE-----
> >
> > --
> > Become a medical transcriptionist at home, at your own pace.
> >
> http://tagline.hushmail.com/fc/BLSrjkqfMmg6RbMKs4GE43pzNkcKJRWafc7cDXj4iASDyccuLtQA2i9f1le/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists