256828 - DOS from lots of iframes w/ unloadable content (modal dlgs)

Status: RESOLVED INCOMPLETE

(Core :: Networking, defect)

Description

[Steven Woolard]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040809
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.2) Gecko/20040809

<!--
<script language="JavaScript">

while(true)

{

   document.write("<iframe src=\"C:\Windows\system32\"></iframe>");

}

</script>
-->

Reproducible: Always
Steps to Reproduce:
1. Visit http://tuxq.com/exploit.html 
2. Reproduced.

Actual Results:  
Pop up an infinite ammount of error messages.

Expected Results:  
Uhm... Not pop up an infinite of error messages...

This affects Mozilla, Opera, and Internet Explorer ...All with different problems.
I only submitted to Mozilla because it's the only one I use.

Comment 1

[Brendan Eich [:brendan]]

An infinite amount?  That's unlikely.  Setting iframe src= has nothing to do
with JavaScript, so please file bugs in better components.

What makes you say this is an "Exploit"?

/be

Comment 2

[Daniel Veditz [:dveditz]]

No need for the security sensitive flag since this report is based on a public
posting already. The actual DOS is hosted at http://www.su1d.net/iframe2.html,
the above link is to a discussion about it.

I get a prompt that a script is causing Mozilla to run slowly and offering to
let me abort it. After aborting the script I do get a lot of prompts, but much
fewer than 100. I'm sure it'd be more if I let the script run, but this is a
standard issue JS-loop DOS of which we've seen tons of variants.

Apart from JS, you could accomplish the same thing with a long page of
pregenerated broken <iframe>s.

Dropping the modal dialogs for unloadable content would be a big help. There are
other bugs on that topic (bug 28586 links to many).

Comment 3

[Matthias Versen [:Matti]]

The URL is dead and the posted script from comment doesn't do anything in trunk versions.
Is this still valid ?