Date: Sun, 6 Sep 1998 00:53:24 +0200
From: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@netspace.org
Subject: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)


Now, some DoSes on Netscape 4.0x browsers:
------------------------------------------

Meta refresh or href to URL "mocha:document.open('300k times A');" causes
netscape to waste whole memory / CPU, then crash. This URL could be gziped
to about 500 bytes, netscape will uncompress .html.gz web page in the fly.
Btw. by using 'mocha:' or 'javascript:' protocol in addresses, you could
do really interesting things, including "mocha:while(1)open();", but it's
nothing really uncommon - javascript extensions are harmful at all.

Want more? Insert meta refresh or href to "about:(300k times A)". Netscape
under Xwindows will hang up due to out-of-range draw request.

More and more tricks. With nethelp installed, URL
'nethelp:../../../../../anyfile%00' will cause netscape to seek through
any specified file looking for help (what about /dev/urandom?).
'view-source:' protocol is also really interesting.

Samples: http://dione.ids.pl/~lcamtuf/pliki/browsers.html.gz

Solution: (sorry, I haven't sources)

_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [ENSI / marchew] [dione.ids.pl SYSADM]
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]