Full Disclosure mailing list archives
OSX Safari "PAC" url DoS
From: mac () msg net
Date: Tue, 21 Jun 2005 16:36:52 -0500
Tiger's System Preferences set to fetch a PAC File URL from a web server acts as a denial of service attack against the server where PAC is hosted. Flawed PAC retrieval code in Safari 2.0 (412) generates HTTP requests to the PAC URL many times for each page browsed, drowning your PAC server with "GET" requests. Finally the web server may crash due to load, after which the browser is unable to browse anywhere. Refusing requests showing a UserAgent of "CFNetwork/1.1" can help protect your PAC web server against this denial of service, as will manually resetting all Tiger workstations back to manual proxy. Thanks to I. Claymore and S. Karel for assistance in confirming this flaw. mac () msg net _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- OSX Safari "PAC" url DoS mac (Jun 21)
- Message not available
- Re: OSX Safari "PAC" url DoS Kevin (Jun 22)
- Message not available