VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 29, 2004· Updated Apr 16, 2026

CVE-2004-1316

CVE-2004-1316

Description

A heap-based buffer overflow in Mozilla 1.7.3 and earlier via NNTP URLs with a trailing backslash allows denial of service or potential arbitrary code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-based buffer overflow in Mozilla 1.7.3 and earlier via NNTP URLs with a trailing backslash allows denial of service or potential arbitrary code execution.

Vulnerability

A heap-based buffer overflow exists in the function MSG_UnEscapeSearchUrl within nsNNTPProtocol.cpp of Mozilla 1.7.3 and earlier [1][3][4]. When processing an NNTP URL (news:) ending with a trailing backslash (\), the loop that copies characters into a heap buffer allocated with PR_Malloc fails to null-terminate the source string correctly; the backslash also triggers a hex decoding step (PR_sscanf) that can write beyond the allocated buffer, leading to corruption of adjacent heap memory [3][4].

Exploitation

An attacker can trigger the overflow by convincing a user to click a specially crafted news: URL or by embedding such a URL in a web page or email that Mozilla processes [3][4]. The attacker does not need authentication or any special network position; the user interaction is minimal (clicking the link or viewing the content). The vulnerable code path is reachable as long as the NNTP protocol handler is enabled (default in the Mozilla Application Suite) [3][4].

Impact

Successful exploitation causes a denial of service (application crash) due to heap corruption [1][2][3]. The original discovery report notes that depending on heap layout, the overflow may be leveraged to achieve arbitrary code execution with the privileges of the user running Mozilla [3][4]. However, Mozilla developer Dan Veditz has publicly claimed that the bug is not exploitable beyond a crash, though the CVE description and HP security bulletin treat it as a remote DoS [1][2][3].

Mitigation

Mozilla fixed this vulnerability in version 1.7.5, released in February 2005 [2][3][4]. For HP Tru64 UNIX, the Mozilla Application Suite 1.7.3 must be upgraded to 1.7.5, available from the Mozilla website [2]. Users of other operating systems should update to Mozilla 1.7.5 or later [3][4]. No workarounds are documented; users must apply the patched version [2][3][4].

References
  1. '[Security Bulletin] HP Tru64 Unix Mozilla Application Suite 1.7.3 Remote Denial of Service (DoS)'
  2. Support
  3. 'Heap overflow in Mozilla Browser <= 1.7.3 NNTP code.'
  4. http://isec.pl/vulnerabilities/isec-0020-mozilla.txt

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

23
  • Mozilla Corporation/Mozilla23 versions
    cpe:2.3:a:mozilla:mozilla:*:*:*:*:*:*:*:*+ 22 more
    • cpe:2.3:a:mozilla:mozilla:*:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.4:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.5:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.6:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.6:beta:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.1:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.2:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7.3:*:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:alpha:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:beta:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:rc1:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:rc2:*:*:*:*:*:*
    • cpe:2.3:a:mozilla:mozilla:1.7:rc3:*:*:*:*:*:*
    • (no CPE)range: <=1.7.3

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds check in `MSG_UnEscapeSearchUrl` when a trailing backslash causes the unescape loop to read past the null terminator and overflow the heap buffer."

Attack vector

An attacker crafts an NNTP URL (`news://`) whose query portion ends with a trailing backslash character (`\`). The URL is passed to `MSG_UnEscapeSearchUrl`; because the backslash is the last character before the null terminator, the unescape loop reads two bytes beyond the input string and writes decoded values into the heap-allocated result buffer, overflowing it [ref_id=2][ref_id=3]. The attacker can deliver this URL via a crafted HTML page using `window.open()` with the malicious `news://` URL, requiring only that the victim has an existing, reachable news server configured [ref_id=2].

Affected code

The vulnerable function is `MSG_UnEscapeSearchUrl` in `nsNNTPProtocol.cpp` [ref_id=2][ref_id=3]. The function allocates a heap buffer of `PL_strlen(commandSpecificData) + 1` bytes, then iterates over the input, unescaping `\`-prefixed hex sequences. When the input ends with a trailing `\` (backslash), the loop reads two bytes past the null terminator and writes decoded bytes into the result buffer, causing a heap-based buffer overflow [ref_id=2][ref_id=3].

What the fix does

The advisory states the bug is fixed in Mozilla 1.7.5 (Bug 264388) [ref_id=2][ref_id=3]. No patch diff is included in the bundle, but the fix presumably adds a check for a trailing backslash before entering the unescape loop, ensuring the loop does not read past the end of the input string. The HP security bulletin also directs users to upgrade to Mozilla 1.7.5 [ref_id=1].

Preconditions

  • configVictim must have a reachable NNTP (news) server configured
  • inputAttacker must be able to deliver a crafted HTML page to the victim (e.g., via web or email)
  • configVictim's Mozilla browser must have mozilla-mail component installed

Reproduction

The PoC HTML file from the researcher's advisory [ref_id=2] reproduces the crash:

```html <html> <script> i = "news://news.individual.net/AAAAAAAAAAAAAA?"; for(l = 0; l < 16376; l++) i=i+"A"; i=i+"/?profile/"; for(l = 0; l < 16384; l++) i=i+"A"; i=i+"\\"; window.open(i); </script> </html> ```

Open this HTML in Mozilla 1.7.3 (with mozilla-mail) while a news server is reachable. The trailing `\` triggers the heap overflow, causing a crash [ref_id=2][ref_id=3].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.