Here's another report from BugTraq/NTBugTraq about a security problem in Mozilla/NS6. The comments in the beginning are in response to GreyMagic's report that Netscape wasn't handling security bugs and the Bug Bounty properly (see article <[EMAIL PROTECTED]> posted by me just a few minutes ago).
Thor Larholm <[EMAIL PROTECTED]> writes: > Disturbing. > > Netscape sure must be in financial problems since they are selling out on > their users security for a lousy $1000. > > I know for one that I personally will release any future Netscape advisories > with full public disclosure and without prior Netscape notification. As a > matter of fact, why not start now ? > > The IRC:// protocol inhibited by Mozilla/NS6 seems to have a buffer overrun. > A typical IRC URL could look like this: > > IRC://IRC.YOUR.TLD/#YOURCHANNEL > > The #YOURCHANNEL part is copied to a buffer that has a limit of 32K. > If the input exceeds this limit, Mozilla 1.0 RC1 crashes with the following > error: > > The exception unknown software exception (0xc00000fd) occured in the > application at location 0x60e42edf > > Mozilla 0.9.9 gives a similar exception: > > The exception unknown software exception (0xc00000fd) occured in the > application at location 0x60dd2c79. > > Other versions of Mozilla/NS6/Galeon likely share the same flaw. > I haven't tested further on how practically exploitable this is. > Short example online at > > http://jscript.dk/2002/4/moz1rc1tests/ircbufferoverrun.html > > Furthermore, Mozilla/Galeon/NS6 is prone to a local file detection > vulnerability. > > When embedding a stylesheet with the <LINK> element, access to CSS files > from other protocols is prohibited by the security manager. A simple HTTP > redirect circumvents this security restriction and it becomes possible to > use local or remote files of any type, with the side effect that you can > detect if specific local files exist. > > http://jscript.dk/2002/4/NS6Tests/LinkLocalFileDetect.asp > > > Regards > Thor Larholm > Jubii A/S - Internet Programmer
