[2008-07-23] Thunderbird url handling cpu+memory consumption DOS


Thunderbird is prone to a remote denial of service attack because it fails to properly handle overly long url's in the form of www.[100000+ x 'a'].com.An example will be <a href="http://www.a.a.a.a.a....[100000+].com/">test</a> embedded into a html file sent as an attachement.When trying to open the email Thunderbird will try to interpret the html page for inline display and start eating up big amounts of cpu and memory(ram) and stop responding thus hanging.A malicious attacker can send an email having attached such an html file,thereby causing a remote denial of service attack on thunderbird clients trying to open the email.
Tested on Thunderbird under Windows XP.Other versions might be affected too.

POC/Exploit code   [.html]

The following proof of concept html page has been provided thunderbird.html

Other references

Milw0rm :

Securityfocus :