lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <011901ca415e$bf1cafe0$010000c0@ml>
Date: Wed, 30 Sep 2009 02:43:07 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: "YGN Ethical Hacker Group \(http://yehg.net\)" <lists@...g.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DoS vulnerability in Mozilla Firefox

Hello YGN Ethical Hacker Group!

> Thanks, MustLive for utilizing pkcs.

You are welcome.

> From the way you did, one idea is to go through the bug zilla list and 
> test the different way that firefox developers still need to fill the gap 
> of security.

Yes, it's quite possible way to find new holes (particularly DoS) in Firefox 
at places of other holes. I have found some DoS holes in Firefox (and other 
browsers) when was analyzing other holes (found by other security 
researchers). Like in case of the vulnerability in pkcs11.addmodule by Dan 
Kaminsky, or like in case of these DoS vulnerabilities in Mozilla Firefox, 
Internet Explorer and Chrome (http://websecurity.com.ua/3424/) or these DoS 
vulnerabilities in Firefox, Internet Explorer, Opera and Chrome 
(http://websecurity.com.ua/3338/).

And I already wrote about many of blocking DoS holes in different browsers 
(Firefox, IE and others). One of the most well-known blocking DoS, which you 
can know - it's DoS via expression in styles in IE 
(http://websecurity.com.ua/2484/). And I'll write about new blocking DoS 
holes in browsers.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: YGN Ethical Hacker Group (http://yehg.net)
To: MustLive
Cc: full-disclosure@...ts.grok.org.uk
Sent: Monday, September 21, 2009 2:09 PM
Subject: Re: [Full-disclosure] DoS vulnerability in Mozilla Firefox



Thanks, MustLive for utilizing pkcs.
We still need to dig deeper into the source of firefox.




On Mon, Sep 21, 2009 at 3:29 AM, MustLive <mustlive@...security.com.ua> 
wrote:

Hello Full-Disclosure!

This is my second letter to this list.

Like in case of my previous letter to this list, I already sent this letter
to Bugtraq (at 15th of September), but they declined to post it without any
explanation (which is becoming tradition for them :-), earlier moderator at
least wrote explanations, but now he has a "words crisis"). I hope with
Full-Disclosure list everything will be much better. Insignificancy of
Bugtraq forces me to look at this list. When I read description of this list
at seclists.org, before writing of my first letter, I found it less nice
then Bugtraq's description. But I'll try to contribute my share to change
situation with list's image and we'll see who is #1 security list ;-).

I want to warn you about Denial of Service vulnerability in Mozilla Firefox.

Attack is based on idea of using of pkcs11.addmodule by Dan Kaminsky. Attack
belongs to type of blocking DoS (http://websecurity.com.ua/2550/). I wrote
already about blocking DoS vulnerabilities and it's new one.

DoS:

http://websecurity.com.ua/uploads/2009/Firefox%20DoS%20Exploit2.html

With the exploit Firefox blocks.

Vulnerable are all versions of Mozilla and Mozilla Firefox 3.0.13 and
previous versions.

I mentioned about this vulnerability at my site
(http://websecurity.com.ua/3500/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ