Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Apple Safari ... DoS Vulnerability

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 03 Mar 2009 15:28:17 +1300
Chris Evans to Thierry Zoller:


Example
If a chrome tab can be crashed arbritarely (remotely) it is a DoS attack
but with ridiculy low impact to the end-user as it only crashes the tab
it was subjected to, and not the whole browser or operation system.
But the fact remains that this was the impact of a DoS condition,
the tab crashes arbritarily.


Eh? If you visit www.evil.com and your tab crashes, that's no
different from www.evil.com closing its own tab with Javascript.


But what if www.evil.com has run an injection attack of some kind (SQL, 
XSS in blog comments, etc, etc) against www.stupid.com?

Visitors to stupid.com then suffer a DoS...

Yes, stupid.com should run their site better, fix their myriad XSS holes, 
etc, etc.

But this is the Internet, so this "software flaw" can be leveraged as 
security vulnerability.

I'm with Thierry on this...


Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: