lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 12 Jun 2007 22:09:03 -0300
From: cardoso <cardosolistas@...traditorium.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Apple Safari for Windows feed:// URL Denial
	of Service Vulnerability

Are you sure it's wise to waste resources poking  Safari/Windows in
search of flaws?

The thing DOS itself, my machine (vista home premium, braz. portuguese
edition) can't run Safari for more than a few minutes, less, if I try do
actually open a website. 

I'm an Apple fanboy, proud owner of a Macbook, but I think this
abomination is the worst piece of software I ever installed, including
Windows Me and Microsoft Bob. 


On Wed, 13 Jun 2007 03:42:02 +0300
Trancer <mtrancer@...il.com> wrote:

> Apple Safari for Windows feed:// URL Denial of Service Vulnerability
> 
> Versions: Apple Safari For Windows 3 Beta
> 
> Apple Safari for Windows is prone to a denial-of-service vulnerability 
> because it fails to properly handle crafted feed:// link.
> 
> Proof-of-Concept: .
> Link: feed://%
> Exploit: <a href="feed://%">DoS</a>
> Yes, this will crash Safari. Yes, it's that easy.
> Note that this doesn't work with http://, ftp://, gopher:// and etc'.
> 
> Reference:
> http://www.rec-sec.co.il/2007/06/12/apple-safari-for-windows-vulnerabilities/#exp
> 
> Credit:
> Moshe Ben-Abu of BugSec is credited with discovering this vulnerability.
> 
> Vendor has been notified.
> 
> -- 
> Moshe Ben-Abu :: Trancer
> 0nly Human...
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-------------------------------------------------------------
Carlos Cardoso
http://www.carloscardoso.com <== blog semi-pessoal
http://www.contraditorium.com <== ProBlogging e cultura digital

"You lost today, kid. But that doesn't mean you have to like it"

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ