Home page logo
  • Nmap Security Scanner
  • Security Lists
  • Security Tools
  • Site News
  • Advertising
  • About/Contact
  • Sponsors:



/

bugtraq logo Bugtraq mailing list archives

Re: Firefox / IE6 crash on javascript nested loops
From: Jan Heisterkamp <janheisterkamp () web de>
Date: Tue, 30 Oct 2007 14:24:16 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As nice workaround you can use the NoScript-Addon
https://addons.mozilla.org/en-US/firefox/addon/722

Regards,
Jan
thabob schrieb:

ground418 security advisory

Date: 30-10-2007
Subject: Firefox / IE6 crash on javascript nested loops
Author: Vincent Audet Menard
Original file: http://www.ground418.org/exploits/read.php?file=07-ffox-loops
Risk: low

Tested on: IE6, IE7, Firefox, Safari
Vulnerable: IE6 and older, Firefox 2.0.0.8 and older (mac, window, linux)
Not Vulnerable: IE7, Safari 2.0.4

-[ Remote Firefox / IE6 crash ]

It's possible to crash and/or force the user to kill Firefox 2.0.0.8
and IE6 by coding an endless loop using javascript functions onblur()
and onfocusout(). By using 2 text input fields that are respectively
setting focus on each other, you can force the user to quit the
browser and eventually crash it if the user holds the enter key when a
javascript alert window appears.

This bug seems to be fixed in Internet Explorer 7, Microsoft seems to
have added a counter that limits the number of consecutive pop-up
alerts.
A variation of that bug has been reported to firefox a few years ago
(see related file), but seems to never have been posted on official
security channels.

-[ Related files ]

Original file:
http://www.ground418.org/exploits/read.php?file=07-ffox-loops

Proof of concept available on (at your own risk):
http://www.ground418.org/exploits/archived/ffox2-poc.html

Related on bugzilla
https://bugzilla.mozilla.org/show_bug.cgi?id=302787

---
Vincent A. Ménard
CTO - Heptacube inc.
http://www.heptacube.com





- --
Grupo Ampersand S.A.
IT-Security Consultants & Auditors
Apdo. 924  Escazu 1250
Costa Rica C.A.
Phone: (506)588-0432
ceo_at_ampersanded.com  [corp.]
janheisterkamp_at_web.de [priv.]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHJ5LwPPNzabyjTq4RAk9gAJ9yMvOsIRWXZCzu4k7/fPjutXZBLgCeO2iM
o5xJqS+r7Bit01gZY/MKs8A=
=s81h
-----END PGP SIGNATURE-----

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]