Re[4]: [Full-disclosure] Update: [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari, Opera, Chrome, Seamonkey, iPhone, iPod, Wii, PS3....

Hi Michal,

MZ>  which does not seem to be that far
MZ> from creating an overly nested DOM tree, or drawing an oversized

Interesting tidbit:
The W3C DOM specifies the select.length attribute to be *read only*.
Yet   (all)  browsers  have  implemented  it  allowing to write to it. I
am not sure what use that has (?) but one thing is sure, they failed
to add a limit, the W3C didnt, but thats because it was never meant
to be written to in the first place.


-- 
http://blog.zoller.lu
Thierry Zoller




Replies to this exploit:

From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz


From: Michal Zalewski lcamtuf@coredump.cx
Sent: Tue 21. Jul 2009 16:15
> The W3C DOM specifies the select.length attribute to be *read only*.

Does not seem to be the case in HTML5 at least?

http://dev.w3.org/html5/spec/Overview.html#the-select-element

In fact, it has the behavior for writes defined:

"On setting, it must act like the attribute of the same name on the
options collection."

It may or may not have any practical uses (dynamic resizing of SELECTs
without having to delete individual options).

/mz