Closed
Bug 298034
Opened 19 years ago
Closed 19 years ago
CRITICAL EXPLOIT: Malformed IMG tag can cause opreating system STOP error.
Categories
(Firefox :: General, defect)
Tracking
()
VERIFIED
DUPLICATE
of bug 289864
People
(Reporter: CoJaBo-Bugzilla, Unassigned)
References
()
Details
Attachments
(1 file)
176.11 KB,
application/zip
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1 The tag "<IMG SRC="AYB-school.jpg" width="9999999" height="9999999" />" can cause the video device driver to hang, causing a STOP(Blue Screen of Death) error. This has been tested on Win XP home using Firefox 1.0.1; and on Win XP home using Firefox 1.03, Firefox 1.04, and Internet Explorer (latest version). The exploit is way too easy to use, as it only requires an unsuspecting victim to visit the page. This can be acomplished by either by posting the link somewhere or, like what happened to me, cracking the hompage of a website (for example my website) and replacing it with a page that redirects to the exploit. Reproducible: Always Steps to Reproduce: *WARNING* following the steps results in an operating ststem crash, be sure to SAVE ALL DATA before continuing! The complete URL to the file was not included to prevent any accidents, follow the steps below to get to the page. This is the page that the redirect that was put on my website led me to. 1. Go to "http://www.scene.org:8080/redhound/" 2. Click "crash.html" Actual Results: The system froze for several seconds, then displayed a STOP error. Expected Results: There should be a reasonable size limit on the size of images to prevent this from happening. Firefox should have displayed the image at a reasonable maximum size. This should also be reported to makers of other browsers, as it works on IE, and probably works on other browsers. This has also been reported to Symantec.
*WARNING* this results in an operating ststem crash, be sure to SAVE ALL DATA before continuing! The file crash.html has been renamed to crash.txt, rename it back to crash.html to test it. The image file is, as far as I know, harmless. It is the IMG tag that causes the crash.
Comment 2•19 years ago
|
||
This trick is making the rounds. It's fixed in the Deer Park Alpha 1 release. *** This bug has been marked as a duplicate of 289864 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Updated•19 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•