lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <137472844.20090527203818@Zoller.lu>
Date: Wed, 27 May 2009 20:38:18 +0200
From: Thierry Zoller <Thierry@...ler.lu>
To: "Jim Parkhurst" <JPARKHUR@....state.tx.us>
Cc: info@...cl.etat.lu, nvd@...t.gov, cert@...t.org,
	full-disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq <bugtraq@...urityfocus.com>, cve@...re.org, vuln@...unia.com
Subject: Re: Addendum : [TZO-26-2009] Firefox (all?)
	Denial of Service through unclamped loop (SVG)

Hi Jim,

Read again:
Affected : All Firefox versions that support SVG.

Then think about what version of Firefox you are using.

JP> If I understand the process, saving the text at [IV. Proof of
JP> concept] (following the "~~~..." to an .XHTML file, and launch the
JP> file using Firefox, I should lose functionality ("Browser doesn't
JP> respond any longer to any user input, all tabs are no longer
JP> accessible, your work if any  (hail to the web 2.0) might be lost.")

JP> Using FF2.0.0.20 and the file does not result in loss of use. All
JP> tabs are functional. All JAVA links continue function.  Same
JP> result for naming the POC file to .HTML, .HTM.

>>>> Thierry Zoller <Thierry@...ler.lu> 05/26/2009 13:13 >>>


JP> For  those that failed to reproduce, try naming the POC file with an XHTML
JP> extension.


JP> _______________________________________________
JP> Full-Disclosure - We believe in it.
JP> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
JP> Hosted and sponsored by Secunia - http://secunia.com/



-- 
http://blog.zoller.lu
Thierry Zoller

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ