From: sameer <sameer@c2.org>
Date: Thu, 28 Sep 95 09:26:05 PDT
To: dl@hplyot.obspm.fr (Laurent Demailly)
Subject: Re: Another Netscape Bug (and possible security hole)
In-Reply-To: <9509281050.AA15525@hplyot.obspm.fr>
Message-ID: <199509281619.JAA24789@infinity.c2.org>
MIME-Version: 1.0
Content-Type: text/plain


> 
> No, you *can* put 0x22, 0x3e and 0x2f by using respectively
> &#34; &#62; and &#47; html constructs  (&#nnn; nn decimal ascii code)
> unfortunatly &#0; is not recognized but you can probaly use any number
> substracted by itself or even short lda#0 (depending on the cpu),...if
> you need a zero,...(what for ?)

	Oh that's great.. netscape might -not- be doing the conversion
before it crashes though.. worth a shot to check though, without a
doubt.

> 
> I hope this helps too, btw, anywone having contacts on the 8lgm folks?
> they must have experience with that kind of stuff...

	Karl told me that it's their policy only to do exploits for
bugs they have found themselves.

> Even if a patch should be availble now, making a demonstration is
> still interesting IMO [specially when you know that there are still
> ppl around using netscape 0.9x beta, and even ppl 'selling' it in ISP
> access packages!...]

	Look at http://www.c2.org/ with an unpatched
netscape. Hopefully other sites will do similar things.

-- 
sameer						Voice:   510-601-9777
Community ConneXion				FAX:	 510-601-9734
An Internet Privacy Provider			Dialin:  510-658-6376
http://www.c2.org (or login as "guest")			sameer@c2.org