Open
Bug 1061925
Opened 10 years ago
Updated 2 years ago
looping mailto link can cause an out of memory condition
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
NEW
People
(Reporter: curtisk, Unassigned)
References
Details
(Whiteboard: [reporter-external])
Attachments
(1 file)
164 bytes,
text/html
|
Details |
Subject: Remote computer crash through mail From: Dylan Katz <dylanishappy1@gmail.com> To: security@mozilla.org -----//----- Vulnerability: This vulnerability allows attackers to crash a victims computer upon visiting a webpage using mailto links. Reproduction: <a href="mailto:email@example.com" id="crash"></a> <script type="text/javascript"> while(true) { document.getElementById("crash").click(); } </script> as far as I know it doesn't disclose any information but it would appear to stop the user's internet connection after crashing and until the next reboot.
Reporter | ||
Comment 1•10 years ago
|
||
Tested briefly on OS X 10.9.4 Firefox 32 This opens a ton of mail windows, but I could still kill the browser and then close the windows I suspect on lower memory available machines this just opens a ton of windows causing an out of memory issue. So this could be a very annoying attack at the least or depending on the crash something more. Marking as s-s for now as the POC here is just not nice. Dylan, What OS and Firefox version where you using in your testing?
Flags: needinfo?(dylanishappy1)
Comment 2•10 years ago
|
||
I used firefox on my windows machine, but I've verified this works on several platforms with several browsers such as chrome.
Flags: needinfo?(dylanishappy1)
Comment 3•10 years ago
|
||
Note bug 670328, which imo we should fix.
Reporter | ||
Comment 4•10 years ago
|
||
(In reply to Boris Zbarsky [:bz] from comment #3) > Note bug 670328, which imo we should fix. given the other bugs similarity should we keep this bug open? We can hide the attachment (as I think we should).
Flags: needinfo?(bzbarsky)
Comment 6•10 years ago
|
||
I'm not sure there's a point to hiding the attachment either; lots of ways to trigger OOM...
Flags: needinfo?(bzbarsky)
Reporter | ||
Updated•10 years ago
|
Group: core-security
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•