[RESOLVED] Infinite JS Warning Popups - How to crash TB through NoScript

Ask for help about NoScript, no registration needed to post
aliphapet
Posts: 1
Joined: Mon Aug 16, 2021 1:18 pm

[RESOLVED] Infinite JS Warning Popups - How to crash TB through NoScript

Post by aliphapet »

Hi There,

You can see full details reported to TorProject:

https://gitlab.torproject.org/tpo/appli ... sues/40596

ThX!
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Infinite JS Warning Popups - How to crash TB through NoScript

Post by therube »

(I'll just note that in FF [not Tor] 78ESR & 91, I can get high CPU [that does subside after a bit], but I don't see XSS nor do I crash.
Win7 x64.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 SeaMonkey/2.53.10
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Infinite JS Warning Popups - How to crash TB through NoScript

Post by Giorgio Maone »

I can see what's happening there: the page has 152 <noscript> elements, 56 of which contain distinct Youtube iframes which get therefore scanned for XSS attempts all together, DOSing the browser.

If you either disable the noscript capability for 3mdeb.com or the frame capability for youtube.com the page should load almost instantaneously with no warning.

I should probably look into some form of rate limiting or serialization of the injection checker for edge case like this.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
security-alert
Posts: 8
Joined: Sun May 22, 2022 2:20 pm

Re: Infinite JS Warning Popups - How to crash TB through NoScript

Post by security-alert »

Any news on this issue? I can see it still happening until this day.
Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Infinite JS Warning Popups - How to crash TB through NoScript

Post by Giorgio Maone »

Could you please check latest development build? Thanks.
v 11.4.6rc1
============================================================
x [XSS] Correct for concurrency in timeout checks
x [UI] Flatter preset appearance
x [UI] Focus visual feedback adjustments
x Inclusion-time TLD updates
x Updated HTML events
x [L10n] Updated pl
x Opaque white for vintage lock icons
x [L10n] Updated is
Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0
security-alert
Posts: 8
Joined: Sun May 22, 2022 2:20 pm

Re: Infinite JS Warning Popups - How to crash TB through NoScript

Post by security-alert »

Could you please check latest development build? Thanks.
v 11.4.6rc1
Yes works great!, Thank You :)

Btw forums doesnt send notifications not through email nor internally (within the forum), Also reset password doesnt work (no reply).. So i just wanted to let you know so hopefully can be fixed or so.
Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
barbaz_logged_out

Re: Infinite JS Warning Popups - How to crash TB through NoScript

Post by barbaz_logged_out »

security-alert wrote: Thu May 26, 2022 9:51 pm Btw forums doesnt send notifications not through email nor internally (within the forum), Also reset password doesnt work (no reply).. So i just wanted to let you know so hopefully can be fixed or so.
???
Ok, I'm testing subscribing to this topic, let's see if I get notified of this reply...
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
barbaz
Senior Member
Posts: 10841
Joined: Sat Aug 03, 2013 5:45 pm

Re: Infinite JS Warning Popups - How to crash TB through NoScript

Post by barbaz »

Email notification came instantly for me. EDIT Board-internal notification is also there. /EDIT

Check your settings in ucp.php?i=ucp_notifications&mode=notification_options and that you are indeed subscribed to this topic?
*Always* check the changelogs BEFORE updating that important software!
-
security-alert
Posts: 8
Joined: Sun May 22, 2022 2:20 pm

Re: Infinite JS Warning Popups - How to crash TB through NoScript

Post by security-alert »

> and that you are indeed subscribed to this topic?

Ah i should subscribe manually to the topics? i didnt know this thought its automatic as long as the topic created by me. (which is my first account which is sadly i dont know why i cant login to it anymore..)

My notifications for internal and email are enabled, But yeah about topic subscription that didnt check.
Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
security-alert
Posts: 8
Joined: Sun May 22, 2022 2:20 pm

Re: Infinite JS Warning Popups - How to crash TB through NoScript

Post by security-alert »

You can mark this ticket as fixed.
Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
arabflavor
Posts: 4
Joined: Sat Jan 08, 2022 12:19 pm

Re: [RESOLVED] Infinite JS Warning Popups - How to crash TB through NoScript

Post by arabflavor »

Worked for me as well. Thanks. And yes you have to be subscribed to the topic in order to receive notifications. I did not know it either.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
Post Reply