Open Bug 460477 Opened 16 years ago Updated 2 years ago

Mozilla 2.0.17 Denial of Service with Recursive Carriage Return Alert NULL

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
2.0 Branch
Platform:
x86
Windows XP
Type:
defect

Tracking

()

People

(Reporter: adi.zerok, Unassigned)

References

Details

(Whiteboard: [sg:dos])

Attachments

(1 file)

testcase
353 bytes, text/html
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.17) Gecko/20080829 Firefox/2.0.0.17 It has been observed that firefox version 2.0.0.17 is vulnerable to cloent side flaw. When a underline script is called the browser gets in locked state with alert box pointing to a null object. <script language="javascript"> while (1) { alert(window.open("\r\n"); alert(window.open("\r\n"); alert(window.open("\r\n"); alert(window.open("\r\n"); } </script> Reproducible: Always Steps to Reproduce: <script language="javascript"> while (1) { alert(window.open("\r\n"); alert(window.open("\r\n"); alert(window.open("\r\n"); alert(window.open("\r\n"); } </script> Actual Results: Browser Lockdown State with Alert pointing to Null Object Expected Results: Denial of Service
Attached file testcase
When I try this I get an endless-alert-loop as in bug 61098 (the window.open() calls are blocked by the popup-blocker). Is that what you're seeing, or are you seeing a harder kind of lock-up?
Whiteboard: [sg:needinfo] dupe of bug 61098?
Thats the one aspect. Even If you remove the while loop the stringent behavior is shown again. Ofcourse the browser gets locked till the process is killed after some time manually.
Component: General → Security
Version: unspecified → 2.0 Branch
Whiteboard: [sg:needinfo] dupe of bug 61098? →
Whiteboard: → [sg:low dos]
Summary: Stringent Behavior : Denial of Service with Recursive Carriage Return Alert NULL → Mozilla 2.0.17 Denial of Service with Recursive Carriage Return Alert NULL
Group: core-security
Status: UNCONFIRMED → NEW
Depends on: alertloops
Ever confirmed: true
Whiteboard: [sg:low dos] → [sg:dos]
Just tried this testcase with the patch in bug 61098 and it seems to be the same exact thing as bug 61098. while(1)alert(null) . Anyways, the testcase on this bug can be overcome with the patch in bug 61098.
QA Contact: general → firefox
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100611 Firefox/3.6.4 I tried the test case with Fx 3.6.4 and this issue is still present. :(
Please test it in nightly http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/ I think this is no longer an issue after Bug 61098 fix...
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: