Bugtraq mailing list archives
Netscape Navigator buffer overflow
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Thu, 28 Sep 2000 18:45:41 +0200
Haven't seen bugreport on it, so I decided to publish this vulnerability. In fact it's pretty old, but still unpublished: Netscape Navigator is vulnerable to trivial, remote buffer overflow attack when viewing prepared html: <form action=something method=something> <input type=password value=reallylongstring...> ...other form tags... </form> If buffer is reasonably long, Netscape crashes with SEGV while trying to parse this tag (it happens around 16 kB of junk as value=) while calling function XFE_GetFormElementInfo(). It is not a stack overflow, but, as some pointers are overwritten, it seems to be exploitable. If someone has free time and good will, could try - recall JPEG comment heap overflow. Only type=password is vulnerable to this attack. _______________________________________________________ Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Current thread:
- Netscape Navigator buffer overflow Michal Zalewski (Sep 28)