lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 12 Jun 2010 18:06:41 +0200
From: Eduardo Vela <sirdarckcat@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: DoS attacks on email clients via protocol
	handlers

errr/
So that attack could allow
an attacker to annoy millions of people with email client popups when
they receive
an email/visit facebook.

it's important to note that the attack was in a redirection, so it's
asuming the website ensured that the starting URL was https?://

-- Eduardo




On Sat, Jun 12, 2010 at 6:00 PM, Eduardo Vela <sirdarckcat@...il.com> wrote:
> MustLive
>
> Since I saw you mentioned
> http://www.mozilla.org/security/announce/2010/mfsa2010-23.html I think
> it would be important for you to know the difference between that
> vulnerability and yours.
>
> The reason that was fixed, was because it's generally considered safe
> to embed images pointing off site, and is acceptable to consider it's
> generally safe (with a few exceptions like referrer leaking, and basic
> auth prompts), and a lot of websites, and online applications, like
> gmail, or facebook to mention a few do it. So that attack could allow
> an attacker to annoy millions of people with iframes when they receive
> an email/visit facebook.
>
> That was considered risky enough to make a fix, but still was
> considered low risk.
>
> All of your attacks with URI schemes are not exploitable this way, and
> are completely useless for that matter, I would recommend you to think
> "could this attack be exploited in mass? would it make people loss
> money/time?" before making more of those advisories.
>
> Greetings
>
> -- Eduardo
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ