[RESOLVED] Infinite JS Warning Popups - How to crash TB through NoScript
[RESOLVED] Infinite JS Warning Popups - How to crash TB through NoScript
Hi There,
You can see full details reported to TorProject:
https://gitlab.torproject.org/tpo/appli ... sues/40596
ThX!
			
			
									
						
										                        You can see full details reported to TorProject:
https://gitlab.torproject.org/tpo/appli ... sues/40596
ThX!
Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
						Re: Infinite JS Warning Popups - How to crash TB through NoScript
(I'll just note that in FF [not Tor] 78ESR & 91, I can get high CPU [that does subside after a bit], but I don't see XSS nor do I crash.
Win7 x64.)
			
			
									
						
							Win7 x64.)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
			                        Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 SeaMonkey/2.53.10
						- Giorgio Maone
- Site Admin
- Posts: 9528
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Infinite JS Warning Popups - How to crash TB through NoScript
I can see what's happening there: the page has 152 <noscript> elements, 56 of which contain  distinct Youtube iframes which get therefore scanned for XSS attempts all together, DOSing the browser.
If you either disable the noscript capability for 3mdeb.com or the frame capability for youtube.com the page should load almost instantaneously with no warning.
I should probably look into some form of rate limiting or serialization of the injection checker for edge case like this.
			
			
									
						
										                        If you either disable the noscript capability for 3mdeb.com or the frame capability for youtube.com the page should load almost instantaneously with no warning.
I should probably look into some form of rate limiting or serialization of the injection checker for edge case like this.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0
						- 
				security-alert
- Posts: 8
- Joined: Sun May 22, 2022 2:20 pm
Re: Infinite JS Warning Popups - How to crash TB through NoScript
Any news on this issue? I can see it still happening until this day.
			
			
									
						
										                        Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
						- Giorgio Maone
- Site Admin
- Posts: 9528
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: Infinite JS Warning Popups - How to crash TB through NoScript
Could you please check latest development build? Thanks.
v 11.4.6rc1
============================================================
x [XSS] Correct for concurrency in timeout checks
x [UI] Flatter preset appearance
x [UI] Focus visual feedback adjustments
x Inclusion-time TLD updates
x Updated HTML events
x [L10n] Updated pl
x Opaque white for vintage lock icons
x [L10n] Updated is
			
			
									
						
										                        v 11.4.6rc1
============================================================
x [XSS] Correct for concurrency in timeout checks
x [UI] Flatter preset appearance
x [UI] Focus visual feedback adjustments
x Inclusion-time TLD updates
x Updated HTML events
x [L10n] Updated pl
x Opaque white for vintage lock icons
x [L10n] Updated is
Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0
						- 
				security-alert
- Posts: 8
- Joined: Sun May 22, 2022 2:20 pm
Re: Infinite JS Warning Popups - How to crash TB through NoScript
Yes works great!, Thank YouCould you please check latest development build? Thanks.
v 11.4.6rc1

Btw forums doesnt send notifications not through email nor internally (within the forum), Also reset password doesnt work (no reply).. So i just wanted to let you know so hopefully can be fixed or so.
Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
						- 
				barbaz_logged_out
Re: Infinite JS Warning Popups - How to crash TB through NoScript
???security-alert wrote: ↑Thu May 26, 2022 9:51 pm Btw forums doesnt send notifications not through email nor internally (within the forum), Also reset password doesnt work (no reply).. So i just wanted to let you know so hopefully can be fixed or so.
Ok, I'm testing subscribing to this topic, let's see if I get notified of this reply...
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.61 Safari/537.36
						Re: Infinite JS Warning Popups - How to crash TB through NoScript
Email notification came instantly for me.  EDIT Board-internal notification is also there. /EDIT
Check your settings in ucp.php?i=ucp_notifications&mode=notification_options and that you are indeed subscribed to this topic?
			
			
									
						
							Check your settings in ucp.php?i=ucp_notifications&mode=notification_options and that you are indeed subscribed to this topic?
*Always* check the changelogs BEFORE updating that important software!
			                        -
						- 
				security-alert
- Posts: 8
- Joined: Sun May 22, 2022 2:20 pm
Re: Infinite JS Warning Popups - How to crash TB through NoScript
> and that you are indeed subscribed to this topic?
Ah i should subscribe manually to the topics? i didnt know this thought its automatic as long as the topic created by me. (which is my first account which is sadly i dont know why i cant login to it anymore..)
My notifications for internal and email are enabled, But yeah about topic subscription that didnt check.
			
			
									
						
										                        Ah i should subscribe manually to the topics? i didnt know this thought its automatic as long as the topic created by me. (which is my first account which is sadly i dont know why i cant login to it anymore..)
My notifications for internal and email are enabled, But yeah about topic subscription that didnt check.
Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
						- 
				security-alert
- Posts: 8
- Joined: Sun May 22, 2022 2:20 pm
Re: Infinite JS Warning Popups - How to crash TB through NoScript
You can mark this ticket as fixed.
			
			
									
						
										                        Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
						- 
				arabflavor
- Posts: 4
- Joined: Sat Jan 08, 2022 12:19 pm
Re: [RESOLVED] Infinite JS Warning Popups - How to crash TB through NoScript
Worked for me as well. Thanks. And yes you have to be subscribed to the topic in order to receive notifications. I did not know it either.
			
			
									
						
										                        Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36
						
