Date: Sun, 15 Oct 2000 22:18:03 -0400 (EDT) From: Trevor Johnson <trevor@jpj.net> To: Will Andrews <will@physics.purdue.edu> Cc: Trevor Johnson <trevor@FreeBSD.ORG>, developers@FreeBSD.ORG, FreeBSD Ports <ports@FreeBSD.ORG> Subject: Re: cvs commit: ports/www/bsdi-netscape47-communicator Makefile Message-ID: <Pine.BSI.4.21.0010152210310.6413-100000@blues.jpj.net> In-Reply-To: <20001015210434.X95891@puck.firepipe.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > Mark forbidden because of buffer overflow described on BUGTRAQ. > > Doesn't this also apply to the other Netscapes? If not, this REALLY > sucks. :-( I only tested it with the one from the bsdi-netscape-navigator-4.75 package, but it's very likely that other versions have the bug. If they crash while viewing http://people.freebsd.org/~trevor/hostile-page.html they probably do. I've appended the original report. -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt Date: Thu, 28 Sep 2000 18:45:41 +0200 From: Michal Zalewski <lcamtuf@DIONE.IDS.PL> To: BUGTRAQ@SECURITYFOCUS.COM Subject: Netscape Navigator buffer overflow Haven't seen bugreport on it, so I decided to publish this vulnerability. In fact it's pretty old, but still unpublished: Netscape Navigator is vulnerable to trivial, remote buffer overflow attack when viewing prepared html: <form action=something method=something> <input type=password value=reallylongstring...> ...other form tags... </form> If buffer is reasonably long, Netscape crashes with SEGV while trying to parse this tag (it happens around 16 kB of junk as value=) while calling function XFE_GetFormElementInfo(). It is not a stack overflow, but, as some pointers are overwritten, it seems to be exploitable. If someone has free time and good will, could try - recall JPEG comment heap overflow. Only type=password is vulnerable to this attack. _______________________________________________________ Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.4.21.0010152210310.6413-100000>