Closed Bug 301424 Opened 16 years ago Closed 8 years ago
Simple DOS attack possible via add
User-Agent: Mozilla/3.04 (WinNT; I) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b3) Gecko/20050712 Firefox/1.0+ The following JS line hangs Deer Park Alpha 2: for (;;) window.sidebar.addPanel ("x", "http://www.example.net/", ""); I've marked this as a security problem because at least under Windows XP it becomes very hard to close Deer Park if you don't do it soon enough: Task Manager fails to open or the 'End Process' button doesn't do anything. I had to log off to finally get rid of the browser which could cause loss of data in other applications. Reproducible: Always
This is like "while(true) window.open()" except the popup blocker prevents that kind of abuse. addPanel() should probably feed through the popup blocker too, to make sure it's in response to a reasonable user action.
Status: UNCONFIRMED → NEW
Ever confirmed: true
*** Bug 338498 has been marked as a duplicate of this bug. ***
addPersistentPanel, addSearchEngine, and addMicrosummaryGenerator (possibly other similar methods being added, feed handling comes to mind) all could use some kind of protection against this type of abuse. There was some discussion about creating a generic system that could be shared with the popup blocker for this kind of thing when I brought up the "add a search engine" UI in #developers a while ago.
This was just published here: http://websecurity.com.ua/2454/
same as bug 256154?
(In reply to comment #6) > same as bug 256154? I don't think so, I had seen that bug before I filed this one. The other bug is about whether this addPanel should be treated just like window.open, this one is about limiting the number of simultaneous addPanel dialogs. Of course, iff addPanel was treated just like a popup this bug would become moot.
As shown in the duplicated bug 658863 this i still a problem in the latest Firefox versions.
OS: Windows XP → All
Hardware: x86 → All
Version: unspecified → Trunk
Bug 691647 removed addPanel.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Depends on: 691647
Resolution: INVALID → FIXED
Target Milestone: --- → Firefox 24
Target Milestone: Firefox 24 → Firefox 23
You need to log in before you can comment on or make changes to this bug.