Firebug 2.0.16 - Regular Expression DoS #8012

Closed
arturczyz opened this Issue Apr 19, 2016 · 2 comments

Projects

None yet

3 participants

@arturczyz
arturczyz commented Apr 19, 2016 edited

Firebug 2.0.16 - Regular Expression DoS / Infinite Loop Vulnerability

---------------------------------------------
I. DESCRIPTION
---------------------------------------------

Regular Expression DoS vulnerability in Firebug 2.0.16 allows remote attackers to crash Firebug plugin.

---------------------------------------------
II. LOCATION OF VULNERABILITY
---------------------------------------------

Path: /firebug/content/lib/url.js
Line: 450

---------------------------------------------
III. PROOF OF CONCEPT
---------------------------------------------

Tested on:
Mozilla Firefox 45.0.1 with Firebug 2.0.16

Example URL with Evil Payload which exploits vulnerability and in result will crash Firebug plugin.

Payload: test//;../../../test

Option I:

  1. Open URL: http://example.domain/?falsevariable=test;//;../../../test
  2. Load Firebug plugin.

Option II:

  1. Open Firebug plugin.
  2. Open URL: http://example.domain/?falsevariable=test;//;../../../test

Explanation:
Payload works in any domain (example.domain is only example), we only need to put payload in value of any variable.

---------------------------------------------
IV. REFERENCES
---------------------------------------------


Discovered by: Artur Czyz

@simonlindholm
Member

It's not an evil regex as much as an infinite loop... and I'm not actually sure what the purpose of the loop is, either. #8013 should be a safe fix. Not that this is very critical (a page could also just detect Firebug and then do an infinite loop, with much the same effect).

@janodvarko janodvarko closed this in #8013 Apr 19, 2016
@janodvarko
Member

@arturczyz thanks for the report!

The fix will be included in Firebug 2.0.17

Honza

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment