Open Bug 1781147 Opened 2 months ago Updated 1 month ago

firefox denial-of-service triggered by infinitely long page title

Categories

(Core :: Security, defect)

defect

Tracking

()

People

(Reporter: pho.sco.glass, Unassigned, NeedInfo)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-dos, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Firefox Broswer version 102.2.1 on Android 12

I am able to cause firefox to crash using the following code:

test.php -------

<!doctype html>
<html>
<head>
<title><?php for(;;){echo "a";}

Flags: sec-bounty?

--> Fenix for initial triage, given this was reported as a mobile bug.

Group: firefox-core-security → mobile-core-security
Component: Security → Security: Android
Product: Firefox → Fenix

This file looks incomplete, there is no closing php tag. The file looks to create an infinitely long title. This looks like a variation of bug 432687

Keywords: csectype-dos
Blocks: eviltraps
Group: mobile-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true

This file looks incomplete, there is no closing php tag.

The closing tag at the end of a PHP file is optional.

I tested this and reproduced on both Desktop and Android, which both become unresponsive and eventually crash. Ideally, a fix here shouldn't be mobile specific.

Component: Security: Android → Security
Product: Fenix → Core
Summary: firefox denial-of-service on mobile phone → firefox denial-of-service triggered by infinitely long page title

The severity field is not set for this bug.
:dveditz, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dveditz)
You need to log in before you can comment on or make changes to this bug.