lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTimWB3rwvArXhzWqQX4uOYxWH13L-VGnF_Pw0P-1@mail.gmail.com>
Date: Sat, 12 Jun 2010 18:00:23 +0200
From: Eduardo Vela <sirdarckcat@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: DoS attacks on email clients via protocol
	handlers

MustLive

Since I saw you mentioned
http://www.mozilla.org/security/announce/2010/mfsa2010-23.html I think
it would be important for you to know the difference between that
vulnerability and yours.

The reason that was fixed, was because it's generally considered safe
to embed images pointing off site, and is acceptable to consider it's
generally safe (with a few exceptions like referrer leaking, and basic
auth prompts), and a lot of websites, and online applications, like
gmail, or facebook to mention a few do it. So that attack could allow
an attacker to annoy millions of people with iframes when they receive
an email/visit facebook.

That was considered risky enough to make a fix, but still was
considered low risk.

All of your attacks with URI schemes are not exploitable this way, and
are completely useless for that matter, I would recommend you to think
"could this attack be exploited in mass? would it make people loss
money/time?" before making more of those advisories.

Greetings

-- Eduardo

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ