[2008-07-23] Thunderbird 2.0.0.14 url handling cpu+memory consumption DOS

Thunderbird 2.0.0.14 is prone to a remote denial of service attack because it fails to properly handle overly long url's in the form of www.[100000+ x 'a'].com.An example will be <a href="http://www.a.a.a.a.a....[100000+].com/">test</a> embedded into a html file sent as an attachement.When trying to open the email Thunderbird will try to interpret the html page for inline display and start eating up big amounts of cpu and memory(ram) and stop responding thus hanging.A malicious attacker can send an email having attached such an html file,thereby causing a remote denial of service attack on thunderbird clients trying to open the email.
Tested on Thunderbird 2.0.0.14 under Windows XP.Other versions might be affected too.

Just send this html attached in an email to a thunderbird client.


Found by Shinnok https://shinnok.com