Date: Mon, 17 May 1999 19:49:14 +0200 (CEST) From: Adam Szilveszter <sziszi@petra.hos.u-szeged.hu> To: Roger Marquis <marquis@roble.com> Cc: security@FreeBSD.ORG Subject: Re: HTML DOS? (http://microsoft.com/NTServer/all/Downloads.asp) Message-ID: <Pine.LNX.3.96.990517191116.2284A-100000@petra.hos.u-szeged.hu> In-Reply-To: <Pine.GSO.3.96.990517072214.22349A-100000@roble2.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi!
My experinece upon looking at the page in question:
- With my FreeBSD box, running Netscape 4.6 (freebsd) it took about half a
minute to display the page, the communicator process actually used almost
all available RAM and a lot of CPU time. However, after exiting
Communicator, I got back the RAM (it says now: 26M Free), the amount that
has already been swapped out remains in place.
-After this I checked the same page from the same subnet with a W95
machine running Netscape 4.51 and M$ Internet Explorer 5. (That machine
has only 32M RAM, though, whereas mine has 64M) The results with Netscape:
It took the browser an incredible almost two minutes to display the page.
(!) it first displayed the toolbar only and the two minutes are from
when it appeared till the whole page was visible. There was a lot of HDD
activity going on at some times. I could see the words:
Version-4.51[en]-xxxx on the title bar (xxxx stands for some numbers. I
did not remember.) during the rendering process.
With IE, the page came up swiftly (10-15sec) but this actually is a
different page
IMHO in what techniques it uses. E.g. I'd bet on it, that it uses no
normal JavaScript but M$ implementation JScript for IE.
I even tried with StarOffice and the page displayed very quickly. It
received the Netscape version. (No 3D buttons)
From this I draw the conclusion that:
1) This problem is not UNIX specific, rather Netscape related.
2) FreeBSD actually did quite well, as you could see (30 sec rendering
time as opposed to 2 min on W95)
3) I tried others of their pages and the error did not recur. So I dare
say there is some buggy code on that page and while it is trying to
execute, the browser is stuck.(Even the animation stops in the corner) It
has someting to do with
browser-type parsing because it was probably processing the data I saw on
top (which was the Netscape version and language followed by some
interesting numbers) It is possible that this has again something to do
with their
client-tracking system.,.
4) It was clear from the very beggining that they design their pages in a
way to look much better on IE (so that they can say, well, see the
difference for yourself) but cannot understand what they use
JavaScript for. On the IE version it adds the functionality that the
buttons become 3D and Blue when you move your mouse over them. I am not an
expert on JavaScript but if they try to implement something similar here
then it simply doesn't work (and for that matter, never has, on any of
their pages)
5) I do not think it is a DOS. I think that it is both M$'s and Netscape's
fault. At M$ they simply ignore the standards when it comes to
good-looking but product-consicous (Win only) pages and use asp, which is
their own standard for including code into the page that executes while
loading. That's why it's pretty sure that if you see asp pages somewhere
than the server is almost certainly NT... As for Netscape, memory handling
problems always occured, didn't they?
Besides, I could see that Netscape was stuck in RUN status so it was
trying very hard to run something. This status is _very CPU consuming but
memory is not always affected. I saw something similar for RealPlayer,
when it looses the connection to the streaming server, it stucks in this
mode until stopped or regains the connection. It brings up CPU usage to
100% but it doesn't touch the RAM. On WinNT, it actually took over all
of the available RAM and swap when left at that and in the end it freezed.
On Win95 it even crashed the machine occasionally. So buggy software has
always existed...
BTW The worst I can think of on M$ part that they wanted to make the page
a
bit slower to load to show off that IE is much better...
P.S.: I checked, Communicator 4.6 is still a.out.
Regards:
Szilveszter
Szeged University
Hungary
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.96.990517191116.2284A-100000>