| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 12 Jun 2010 18:00:23 +0200 From: Eduardo Vela <sirdarckcat@...il.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: DoS attacks on email clients via protocol handlers MustLive Since I saw you mentioned http://www.mozilla.org/security/announce/2010/mfsa2010-23.html I think it would be important for you to know the difference between that vulnerability and yours. The reason that was fixed, was because it's generally considered safe to embed images pointing off site, and is acceptable to consider it's generally safe (with a few exceptions like referrer leaking, and basic auth prompts), and a lot of websites, and online applications, like gmail, or facebook to mention a few do it. So that attack could allow an attacker to annoy millions of people with iframes when they receive an email/visit facebook. That was considered risky enough to make a fix, but still was considered low risk. All of your attacks with URI schemes are not exploitable this way, and are completely useless for that matter, I would recommend you to think "could this attack be exploited in mass? would it make people loss money/time?" before making more of those advisories. Greetings -- Eduardo _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists