############################################
K-Meleon for windows about:neterror Stack Overflow DoS
Vendor URL:http://kmeleon.sourceforge.net/
Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html
Vendor notified:Yes exploit available: YES
############################################
K-Meleon is an extremely fast, customizable, lightweight web browser
based on the Gecko layout engine developed by Mozilla which is also
used by Firefox. K-Meleon is free, open source software released under
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ]
Author: Maksymilian Arciemowicz and sp3x
http://SecurityReason.com
Date:
- - Dis.: 07.05.2009
- - Pub.: 20.11.2009
Title:
======
K-Meleon Browser v1.5.4 - Denial of Service Vulnerability
Date:
=====
2012-04-14
- - Mozilla Thunderbird
- - Mozilla Sunbird
- - Mozilla Camino
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
- - F-Lock
- - MatLab
- - J
This list is not yet closed.
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html")
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( CVE-2009-0689)".
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html")
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( CVE-2009-0689)".
- - Mozilla Thunderbird
- - Mozilla Sunbird
- - Mozilla Camino
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
- - F-Lock
This list is not yet closed.
- --- 4. Fix ---
- - Mozilla Thunderbird
- - Mozilla Sunbird
- - Mozilla Camino
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
- - F-Lock
This list is not yet closed.
Proof Of Concept
####################
#######################################################################
#!/usr/bin/perl
# safari & k-meleon Long "a href" Link DoS
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com
# Safari 5.0.1 ( 7533,17,8) and prior versions Long link DoS
# generate the file open it with safari wait a seconds
######################################################################
- - Google Chrome
- - Mozilla Firefox
- - Mozilla Seamonkey
- - KDE (example: konqueror)
- - Opera
- - K-Meleon
This list is not yet closed. US-CERT declared that will inform all vendors about this issue, however, they did not do it. Even greater confusion caused new CVE number "CVE-2009-1563". Secunia has informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that the problem affects other products like ( KDE, Chrome ) and it is based on "CVE-2009-0689". After some time Mozilla Foundation Security Advisory
("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html")
was updated with note :
"The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( CVE-2009-0689)".
