Full Disclosure mailing list archives

Re: Apple Safari ... DoS Vulnerability

From: Jason Starks <jstarks440 () gmail com>
Date: Tue, 3 Mar 2009 11:11:35 -0500

Mr. Mustache, it is obvious that I have more talent than a box of
chocolates, and that you envy the sadistic nature of your fellow trolls on
this list. Point blank.

On Tue, Mar 3, 2009 at 6:18 AM, <bobby.mugabe () hushmail com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Valdis,

I have been able to reproduce a similar situation using Firefox
under MacOSX, using different websites and a significantly larger
number of tabs.  Do you think these issues might be related or are
they operating system specific?  What model of CPU were you testing
this issue under?

Thanks,
- -bm

On Mon, 02 Mar 2009 23:41:53 -0500 Valdis' Mustache
<security.mustache () gmail com> wrote:

I would like to point out that I have been able to create a "hung"
state in the Firefox browser by opening 30 simultaneous tabs
pointed
at http://www.welcometointernet.org/lawnmower/ and adding a 31st
tab
viewing http://www.hotrussianbrides.com.

Also, I am not amused.


Your humble servant,
Ze Mustache von Kletnieks

On Mon, Mar 2, 2009 at 10:29 PM,  <bobby.mugabe () hushmail com>
wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear Nick,

You and Thierry Loller are wrong.

- -bm

On Mon, 02 Mar 2009 21:28:17 -0500 Nick FitzGerald <nick@virus-
l.demon.co.uk> wrote:

Chris Evans to Thierry Zoller:

Example
If a chrome tab can be crashed arbritarely (remotely) it is

DoS attack

but with ridiculy low impact to the end-user as it only

crashes the tab

it was subjected to, and not the whole browser or operation

system.

But the fact remains that this was the impact of a DoS

condition,

the tab crashes arbritarily.


Eh? If you visit www.evil.com and your tab crashes, that's no
different from www.evil.com closing its own tab with

Javascript.


But what if www.evil.com has run an injection attack of some

kind

(SQL,
XSS in blog comments, etc, etc) against www.stupid.com?

Visitors to stupid.com then suffer a DoS...

Yes, stupid.com should run their site better, fix their myriad

XSS

holes,
etc, etc.

But this is the Internet, so this "software flaw" can be

leveraged

as
security vulnerability.

I'm with Thierry on this...


Regards,

Nick FitzGerald


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at

https://www.hushtools.com/verify

wpwEAQMCAAYFAkmso8YACgkQhNp8gzZx3sj93AP/a+oFmgLbU2Elo0livpG3c6Qvh8+
0

b69LocD4LJmaR3NR4H7AHZYJiqm1TegwdTvtgY4sZd0lXi5EKZYTJMl9tj2Pd53fxXF
m

7eK5yf6oRGggrdOLyDjRkMV3bVnOppwXviMHdk8quxx8sDRxA99ZlKKUA40RXFa5eAh
p

UpXIZ1s=
=zgqd
-----END PGP SIGNATURE-----

--
Become a medical transcriptionist at home, at your own pace.

http://tagline.hushmail.com/fc/BLSrjkqfMmg6RbMKs4GE43pzNkcKJRWafc7c
DXj4iASDyccuLtQA2i9f1le/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkmtEaMACgkQhNp8gzZx3shZFwQAjiE2W/WUkNHrLIu1lBRz6oeDVrkn
TmV8TCcaDpsvkRmhNrKFXYObPEatdJ0po7Iul333mllga8+elMukkH15J7BwUZdGlNA5
wpE6zNx8ks6L9qS9UxklE8BErdTfUY/OF5FK4aZ92JcngL1xFTkZlDJS0lvIKGry3vju
P7xAvvQ=
=avqi
-----END PGP SIGNATURE-----

--
Click to find great rates on health insurance, save big, shop here.

http://tagline.hushmail.com/fc/BLSrjkqeRcNd9NCXSJiZxV7gq821SXvgq2GWai39WLJo4QlOxYCnjxaqn9u/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Re: Apple Safari ... DoS Vulnerability, (continued)
- - Re: Apple Safari ... DoS Vulnerability jf (Mar 02)
    - Re: Apple Safari ... DoS Vulnerability Chris Evans (Mar 02)
    - Re: Apple Safari ... DoS Vulnerability Pavel Kankovsky (Mar 04)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 02)
  - Re: Apple Safari ... DoS Vulnerability Nick FitzGerald (Mar 02)
  - Re: Apple Safari ... DoS Vulnerability Valdis' Mustache (Mar 02)
    - Re: Apple Safari ... DoS Vulnerability Jason Starks (Mar 02)
    - Re: Apple Safari ... DoS Vulnerability Valdis' Mustache (Mar 02)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 03)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 03)
  - Re: Apple Safari ... DoS Vulnerability Jason Starks (Mar 03)
    - Re: Apple Safari ... DoS Vulnerability Jim Parkhurst (Mar 03)
- Re: Apple Safari ... DoS Vulnerability M.B.Jr. (Mar 03)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 03)
  - Re: Apple Safari ... DoS Vulnerability Jason Starks (Mar 03)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 03)
  - Re: Apple Safari ... DoS Vulnerability Jason Starks (Mar 03)
    - Re: Apple Safari ... DoS Vulnerability Valdis' Mustache (Mar 03)
    - Re: Apple Safari ... DoS Vulnerability Jason Starks (Mar 03)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 03)
- Re: Apple Safari ... DoS Vulnerability bobby . mugabe (Mar 03)

(Thread continues...)