[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Netscape Navigator buffer overflow
From: Michal Zalewski <lcamtuf () DIONE ! IDS ! PL>
Date: 2000-09-28 16:45:41
[Download RAW message or body]
Haven't seen bugreport on it, so I decided to publish this vulnerability.
In fact it's pretty old, but still unpublished: Netscape Navigator is
vulnerable to trivial, remote buffer overflow attack when viewing prepared
html:
<form action=something method=something>
<input type=password value=reallylongstring...>
...other form tags...
</form>
If buffer is reasonably long, Netscape crashes with SEGV while trying to
parse this tag (it happens around 16 kB of junk as value=) while calling
function XFE_GetFormElementInfo(). It is not a stack overflow, but, as
some pointers are overwritten, it seems to be exploitable. If someone has
free time and good will, could try - recall JPEG comment heap overflow.
Only type=password is vulnerable to this attack.
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic