Lynx, lynx-ssl, and lynx-cur before 2.8.6dev.8 allow remote attackers to cause a denial of service (infinite loop) via a web page or HTML email that contains invalid HTML including (1) a TEXTAREA tag with a large COLS value and (2) a large tag name in an element that is not terminated, as demonstrated by mangleme. NOTE: a followup suggests that the relevant trigger for this issue is the large COLS value.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
| Link | Tags |
|---|---|
| http://www.securityfocus.com/bid/11443 | exploit vdb entry vendor advisory |
| http://marc.info/?l=bugtraq&m=109811406620511&w=2 | mailing list |
| http://www.debian.org/security/2006/dsa-1077 | vendor advisory |
| http://securitytracker.com/id?1011809 | vdb entry |
| http://www.securityfocus.com/archive/1/435689/30/4740/threaded | mailing list |
| http://www.debian.org/security/2006/dsa-1076 | vendor advisory |
| http://www.debian.org/security/2006/dsa-1085 | vendor advisory |
| http://lists.grok.org.uk/pipermail/full-disclosure/2004-October/027709.html | mailing list vendor advisory |
| http://lcamtuf.coredump.cx/mangleme/gallery/ | vendor advisory |
| http://secunia.com/advisories/20383 | third party advisory vendor advisory |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/17804 | vdb entry |