netscape-4.x-DoS.txt

`Date: Sun, 6 Sep 1998 00:53:24 +0200  
From: Michal Zalewski <[email protected]>  
To: [email protected]  
Subject: Sendmail, lynx, Netscape, sshd, Linux kernel (twice)  
  
  
Now, some DoSes on Netscape 4.0x browsers:  
------------------------------------------  
  
Meta refresh or href to URL "mocha:document.open('300k times A');" causes  
netscape to waste whole memory / CPU, then crash. This URL could be gziped  
to about 500 bytes, netscape will uncompress .html.gz web page in the fly.  
Btw. by using 'mocha:' or 'javascript:' protocol in addresses, you could  
do really interesting things, including "mocha:while(1)open();", but it's  
nothing really uncommon - javascript extensions are harmful at all.  
  
Want more? Insert meta refresh or href to "about:(300k times A)". Netscape  
under Xwindows will hang up due to out-of-range draw request.  
  
More and more tricks. With nethelp installed, URL  
'nethelp:../../../../../anyfile%00' will cause netscape to seek through  
any specified file looking for help (what about /dev/urandom?).  
'view-source:' protocol is also really interesting.  
  
Samples: http://dione.ids.pl/~lcamtuf/pliki/browsers.html.gz  
  
Solution: (sorry, I haven't sources)  
  
_______________________________________________________________________  
Michal Zalewski [[email protected]] [ENSI / marchew] [dione.ids.pl SYSADM]  
[http://linux.lepszy.od.kobiety.pl/~lcamtuf/] <=--=> bash$ :(){ :|:&};:  
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]  
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]  
  
`