Closed Bug 301424 Opened 16 years ago Closed 8 years ago

Simple DOS attack possible via addPanel

Categories

(Firefox :: Bookmarks & History, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
Firefox 23

People

(Reporter: Seno.Aiko, Unassigned)

References

Details

(Whiteboard: [sg:dos])

User-Agent:       Mozilla/3.04 (WinNT; I)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b3) Gecko/20050712 Firefox/1.0+

The following JS line hangs Deer Park Alpha 2:
  for (;;) window.sidebar.addPanel ("x", "http://www.example.net/", "");

I've marked this as a security problem because at least under Windows XP it 
becomes very hard to close Deer Park if you don't do it soon enough: Task 
Manager fails to open or the 'End Process' button doesn't do anything. I had to 
log off to finally get rid of the browser which could cause loss of data in 
other applications.


Reproducible: Always
This is like "while(true) window.open()" except the popup blocker prevents that
kind of abuse. addPanel() should probably feed through the popup blocker too, to
make sure it's in response to a reasonable user action.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [sg:dos]
*** Bug 338498 has been marked as a duplicate of this bug. ***
Group: security
Whiteboard: [sg:dos] → [sg:low dos]
addPersistentPanel, addSearchEngine, and addMicrosummaryGenerator (possibly other similar methods being added, feed handling comes to mind) all could use some kind of protection against this type of abuse. There was some discussion about creating a generic system that could be shared with the popup blocker for this kind of thing when I brought up the "add a search engine" UI in #developers a while ago.
This was just published here:
http://websecurity.com.ua/2454/
Duplicate of this bug: 458649
Whiteboard: [sg:low dos] → [sg:dos]
same as bug 256154?
(In reply to comment #6)
> same as bug 256154?

I don't think so, I had seen that bug before I filed this one. The other bug is about whether this addPanel should be treated just like window.open, this one is about limiting the number of simultaneous addPanel dialogs. Of course, iff addPanel was treated just like a popup this bug would become moot.
Duplicate of this bug: 658863
As shown in the duplicated bug 658863 this i still a problem in the latest Firefox versions.
OS: Windows XP → All
Hardware: x86 → All
Version: unspecified → Trunk
Bug 691647 removed addPanel.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Depends on: 691647
Resolution: INVALID → FIXED
Target Milestone: --- → Firefox 24
Target Milestone: Firefox 24 → Firefox 23
You need to log in before you can comment on or make changes to this bug.