[Advisory] Mozilla Products Remote Crash Vulnerability

From: Niek van der Maas (niekvdmaas_at_gmail.com)
Date: 12/06/04

  • Next message: Thierry Carrez: "[ GLSA 200412-03 ] imlib: Buffer overflows in image decoding"
    Date: Mon, 6 Dec 2004 15:24:58 +0100
    To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com


    I'm posting it here, the Mozilla guys didn't want to answer or even
    confirm this bug. No idea whether this one is exploitable or not, I'll
    leave that over to the readers of these lists.

    Niek van der Maas

    Mozilla Products Remote Crash Vulnerability

    Vendor : The Mozilla Organisation
    Product(s) : Navigator, Firefox, other Gecko based products
    Version(s) : All released versions
    Platform(s) : All platforms (confirmed on Windows, Linux and SunOS)
    Discovered by : Niek van der Maas, MaasOnline (http://maas-online.nl/)
    Advisory URL : http://maas-online.nl/security/advisory-mozilla-crash.txt

      While working on one of my projects I discovered a vulnerability in Firefox,
      allowing a attacker to crash the browser. Further investigation learned that
      this vulnerability also applies on other Mozilla products, like Navigator.
      All platforms and versions are affected.
      The crash occurs when a one-line JavaScript is executed which tries to print
      an iframe. The crash does not occur when executing this JavaScript in the
      'onload' tag or after clicking a link (i.e., 'onclick').

      The vulnerability can be exploited with the following 2 lines of code:
        <iframe id="pocframe" name="pocframe" src="about:blank"></iframe>
        <script type="text/javascript">window.frames.pocframe.print();</script>
      A sample page containing these 2 lines is available at

      No patch is available at this time. The only solution is to disable JavaScript
      execution at all.

      The bug (#272381) was opened 2004-11-30 in Bugzilla.
      Until now (2004-12-06), no response or confirmation is received. Contacting
      the Mozilla Security Team on IRC didn't help either, it seems that they're
      simply not interested.

  • Next message: Thierry Carrez: "[ GLSA 200412-03 ] imlib: Buffer overflows in image decoding"

    Relevant Pages