[BuHa-Security] DoS Vulnerability in Firefox 1.5.0.1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
---------------------------------------------------
| BuHa Security-Advisory #9 | Apr 12th, 2006 |
---------------------------------------------------
| Vendor | Mozilla Firefox |
| URL | http://www.mozilla.com/firefox/ |
| Version | <= 1.5.0.1 |
| Risk | Low (DoS - Null Pointer Dereference) |
---------------------------------------------------
o Description:
=============
The award-winning Web browser is better than ever. Browse the Web
with confidence - Firefox protects you from viruses, spyware and
pop-ups. Enjoy improvements to performance, ease of use and privacy.
Visit http://www.mozilla.com/firefox/ for detailed information.
o Denial of Service:
===================
Following HTML source forces Firefox <= 1.5.0.1 to crash:
> <legend>
> <kbd>
> <object>
> <h4>
> </object>
> </kbd>
Online-demo:
http://morph3us.org/security/pen-testing/firefox/firefox1501-nsBlockFrame.html
The access violation results in a non-exploitable Null Pointer Dereference.
o Disclosure Timeline:
=====================
01 Oct 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
15 Dec 05 - Vendor confirmed vulnerability.
02 Feb 06 - Fixed on 1.x branches.
12 Apr 06 - Public release.
o Solution:
==========
The upcoming versions of Firefox (1.0.8 and 1.5.0.2) will address this
issue.
o Credits:
=========
Thomas Waldegger <bugtraq@xxxxxxxxxxxx>
BuHa-Security Community - http://buha.info/board/
If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@xxxxxxxxxxxx' is more a
spam address than a regular mail address therefore it's possible that
some mails get ignored. Please use the contact details at
http://morph3us.org/ to contact me.
Greets fly out to cyrus-tc, destructor, nait, rhy, trappy and all
members of BuHa.
Advisory online:
http://morph3us.org/advisories/20060412-firefox-1501.txt
-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/
iD8DBQFEPVY0kCo6/ctnOpYRA02MAJ44HoaPKmgnii3+uM7RBNA5WsJ2BgCdHTdM
e3SnWFYbwoCSftadTtIfzr0=
=dVrF
-----END PGP SIGNATURE-----