Firefox 2,3 url handling memory consumption DOS

VERIFIED DUPLICATE of bug 447987

Status

()

--
critical
VERIFIED DUPLICATE of bug 447987
10 years ago
10 years ago

People

(Reporter: raydenxy, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1

Mozilla Firefox 2 and 3 are prone to a remote denial of service attack because it fails to properly handle overly long url's in the form of www.[100000+ x 'a'].com.An example will be <a href="http://www.a.a.a.a.a....[100000+].com/">test</a> or just pasting that url in the address bar(yes firefox accepts such a thing).Ofcourse there are several ways an url of this form could be formed.Putting only dots instead of '.a' works just fine.When following such a link Firefox will start eating up some nice cpu and after that will start consuming large amounts memory(ram).Eventually it will run out of memory and it will crash(not always though,it will just hang at some point).If somehow the memory consumption doesn't occur after the cpu phaze and firefox seems to have recovered then just trying to browse to some other page or interact with firefox will start the memory consumption process(large amounts of ram consumption cand lead to system instabillity).Making the url 700000+ long the cpu consumption phaze could be considered itself a dos attack but since it will end after a few minutes or hours :D depending on the cpu i will be considering that firefox is conducting some legitimate processing of the url.But the memory amounts consumed are to big to be considered legitimate so there is no doubt that there is some sort of a bug(vulnerability) in the code or in the logic of that part of the code.All of this makes firefox not responding(hanging),thus leading to a denial of service attack.A malicious website can host a page including such an url,thereby causing a remote denial of service attack on systems visiting the website.
Tested on Firefox 2.0.0.14 and 3.0.1 under Windows XP,Vista,Linux(Backtrack :P). 

Please visit the following link for the original description of the problem.
http://shinnok.evonet.ro/vulns_html/firefox.html

Reproducible: Always

Steps to Reproduce:
Please read the Details section.
Actual Results:  
Please read the Details section.

Expected Results:  
I think that Firefox should have correctly processed the url without consuming large amounts of memory or spending so much time on it.One workaround would be to actually invalidate such a big url.

Several add-on's might make the problem worse,although i can't prove this at the moment.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 447987

Updated

10 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.