Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Mozilla "irc:" URI Handler Denial of Service

Nov 25, 2003 10:02PM PST

Secunia Advisory: SA10292
Release Date: 2003-11-26
Critical: Not critical
Impact: DoS
Where: From remote
Software:
Mozilla 1.0
Mozilla 1.1
Mozilla 1.3
Mozilla 1.4
Mozilla 1.5

Description:
A problem has been reported in Mozilla, which can be exploited by malicious people to cause a DoS (Denial of Service).

The problem is caused due to an error in the Chatzilla component. When an overly long string (about 40K) is supplied as a network name (e.g. via the "irc:" URI handler), a recursive function in "js3250.dll" will consume all allocated stack space and eventually cause an access violation, which crashes Mozilla.

This issue has been confirmed Chatzilla versions 0.9.35 and 0.9.48 in Mozilla 1.4 and 1.5 for Windows. Other versions are likely also affected.

Solution:
Filter overly long URLs with the "irc:" URI handler.

Remove Chatzilla if it's not used.

Reported by / credits:
dr_insane

http://www.secunia.com/advisories/10292/

Discussion is locked