Open
Bug 680018
Opened 14 years ago
Updated 3 years ago
rapt explorer with console and throw antiflooding bypass
Categories
(Core :: Security, defect)
Tracking
()
NEW
People
(Reporter: zkizzik, Unassigned)
Details
(Whiteboard: [sg:dos])
User Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0) Gecko/20100101 Firefox/6.0
Build ID: 20110811165603
Steps to reproduce:
Firefox prevents the "throw" can be executed more than one time, but you can call as often as you want by creating new script tags.
This can be used to abduct the explirador by flooding the error console in different ways.
<script>
var i=0;
for(i=0;i<=3;i++){
i = 1;
document.write("\x3cscript\x3ethrow 'x';\x3c/script\x3e");
}
</script>
Actual results:
Crash all tabs.
Expected results:
nothing should preclude their use maximum number of tags or at least should not carry off all other tabs.
|
||
Comment 1•14 years ago
|
||
Probably just your garden variety OOM situation.
|
|
||
Updated•14 years ago
|
Component: Developer Tools → Security
Product: Firefox → Core
QA Contact: developer.tools → toolkit
|
||
Comment 2•14 years ago
|
||
The main issue appears to be that
for(i=0;i<=3;i++){
throw 'x';
}
will only throw once. However if you write <script> then those can also throw.
I don't think the infinite loop is a huge risk.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 7 → All
Hardware: x86 → All
Whiteboard: [sg:dos]
no, not at high risk, just wanted to warn that the error console Floden is possible to end all tabs because its use is shared with all other websites.
If I run this in another browser I get a warning that a script is causing the browser gets slow and I can stop it easily, but in the case of firefox freeze all tabs without the option to stop the attack.
For example cause the rise of my video on youtube 2 hours canceled.
|
|
||
Comment 4•14 years ago
|
||
Thanks for reporting this, zkizzik.
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•