New Netscape bug (in version 1.12)
C'punks, I just got back from a vacation in Raleigh, and downloaded the new "fixed" Netscape 1.12. It took me about an hour, but I've discovered another bug and potential security hole. This one relates to mailto:. The bug is as follows. Create a HTML file with a hyperlink containing the following URL foo This bug doesn't seem to crash Netscape, instead, it crashes my XServer as soon as the mail window pops op. I'm too tired right now to try to analyze it, but it might be another stack bug, this time, in the X libraries because Netscape isn't doing any sanity checking. I need help testing this bug on other platforms. I have created a test page. Go to http://www.gl.umbc.edu/~rcromw1/crash.html to test. I have also found 2 other bugs that cause stack trashing in v1.1 however, they are random and I haven't been able to isolate them completely yet. (I have created a page on my system, such that if you visit it, after you visit about 3 more pages, it crashes) What's my point in pursuing this? Netscape's browser is a piece of software that runs on millions of computers and in effect, allows outside agents to input arbitrary data into that software. As such, it is unlike most applications made. Sure, Microsoft Word may have bugs, but how many people are downloading hundreds of MS Word documents everyday and viewing them? Users of Web browsers are exposing themselves like this everyday, and so I think, that web browsers must have higher standards of robustness. I think Netscape represents an enormous risk to computer security, and while I think they are heading in the right direction, there are some very basic implementation issues they need to clear up which are orthogonal to SSL and credit card transactions. All the cryptography in the world won't help you if someone can subvert your cryptobox. Netscape needs to do some serious quality assurance work. I've never been a QA person in my life, but within a few minutes, I have been able to find serious bugs in the software. And while I'm sure Netscape's coders are fine people, proof reading your own code, code that you look at everyday, becomes rather hard because you tend to "see through it". (just like proof reading essays, or messages) I think Netscape should hire some outside firm/group to review their code under non-disclosure for potential implementation holes. -Ray Cromwell <rjc@clark.net> P.S. I am running Netscape v1.12 under BSDI2.0 and the XAccel/2.0 server
Doesn't crash on SunOS 4.1.3_U1 running X11R6.
I need help testing this bug on other platforms. I have created a test page. Go to http://www.gl.umbc.edu/~rcromw1/crash.html to test.
-- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 An Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org
Doesn't crash on SunOS 4.1.3_U1 running X11R6.
I need help testing this bug on other platforms. I have created a test page. Go to http://www.gl.umbc.edu/~rcromw1/crash.html to test.
Thanks for the info. It may be a bug in BSDI's Xserver then. However, the overlong domain bug is also a bug in the NIS code. So while the crash may not occur within Netscape code itself, I am a little wary that it is not performing sanity checking. If it turns out to do nasty stuff to Windows clients, then it may be significant. -Ray
Doesn't crash on SunOS 4.1.3_U1 running X11R6.
Just tried it under NT 3.5 with Netscape 1.1. It didn't crash as soon as the mail window popped up (like it does under my BSDI2.0), however clicking on "send" caused Netscape to quit/die (but not with any GPF or failure) Varying the length and data in the mailto may have other effects. -Ray
On Tue, 3 Oct 1995, sameer wrote:
Doesn't crash on SunOS 4.1.3_U1 running X11R6.
Nor does it crash FreeBSD 2.1-STABLE w/ X11R6
I need help testing this bug on other platforms. I have created a test page. Go to http://www.gl.umbc.edu/~rcromw1/crash.html to test.
-- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 An Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org
I tested your crash page on 1.12 for SGI, and 2.0 on SGI and Windows NT, and none of them had any problem. I spent five years working on the X server, and my credo then was that if the X server crashes, its a bug in the X server, no matter what wild shit the client throws at it. (I feel the same way about netscape now...) I suggest you complain to your X server vendor. --Jeff -- Jeff Weinstein - Electronic Munitions Specialist Netscape Communication Corporation jsw@netscape.com - http://home.netscape.com/people/jsw Any opinions expressed above are mine.
This bug does not crash Netscape 1.1S running on an SGI. Aleph One / aleph1@dfw.net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 On Tue, 3 Oct 1995, Ray Cromwell wrote:
Date: Tue, 3 Oct 1995 04:36:44 -0400 (EDT) From: Ray Cromwell <rjc@clark.net> To: cypherpunks@toad.com Subject: New Netscape bug (in version 1.12)
C'punks, I just got back from a vacation in Raleigh, and downloaded the new "fixed" Netscape 1.12. It took me about an hour, but I've discovered another bug and potential security hole. This one relates to mailto:.
The bug is as follows. Create a HTML file with a hyperlink containing the following URL
foo
This bug doesn't seem to crash Netscape, instead, it crashes my XServer as soon as the mail window pops op. I'm too tired right now to try to analyze it, but it might be another stack bug, this time, in the X libraries because Netscape isn't doing any sanity checking.
I need help testing this bug on other platforms. I have created a test page. Go to http://www.gl.umbc.edu/~rcromw1/crash.html to test.
I have also found 2 other bugs that cause stack trashing in v1.1 however, they are random and I haven't been able to isolate them completely yet. (I have created a page on my system, such that if you visit it, after you visit about 3 more pages, it crashes)
What's my point in pursuing this? Netscape's browser is a piece of software that runs on millions of computers and in effect, allows outside agents to input arbitrary data into that software. As such, it is unlike most applications made. Sure, Microsoft Word may have bugs, but how many people are downloading hundreds of MS Word documents everyday and viewing them? Users of Web browsers are exposing themselves like this everyday, and so I think, that web browsers must have higher standards of robustness.
I think Netscape represents an enormous risk to computer security, and while I think they are heading in the right direction, there are some very basic implementation issues they need to clear up which are orthogonal to SSL and credit card transactions. All the cryptography in the world won't help you if someone can subvert your cryptobox. Netscape needs to do some serious quality assurance work. I've never been a QA person in my life, but within a few minutes, I have been able to find serious bugs in the software. And while I'm sure Netscape's coders are fine people, proof reading your own code, code that you look at everyday, becomes rather hard because you tend to "see through it". (just like proof reading essays, or messages) I think Netscape should hire some outside firm/group to review their code under non-disclosure for potential implementation holes.
-Ray Cromwell <rjc@clark.net> P.S. I am running Netscape v1.12 under BSDI2.0 and the XAccel/2.0 server
participants (6)
-
Aleph One -
Duncan Frissell -
jsw@neon.netscape.com -
Marc Ramirez -
Ray Cromwell -
sameer