My favorites | Sign in
Project Home Downloads Wiki Issues Code Search
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 21238: security: Content-Type: application/rss+xml being rendered as active content
1 person starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  abarth@chromium.org
Closed:  Sep 2009
Cc:  evan@chromium.org, security...@gtempaccount.com, lafo...@chromium.org
M-3

Restricted
  • Only users with EditIssue permission may comment.


Sign in to add a comment
 
Reported by chris.bi...@gmail.com, Sep 7, 2009
security@ received the following report that seems to be a duplicate of
b/1004726. It was also tested in 4.0.206.1 and 2.x:

Hi Google Security Team,

Version Tested: Google Chrome v3.0.195.10

Vulnerability: Google Chrome's inbuilt RSS/ATOM Reader renders untrusted
javascript content in an RSS/ATOM feed.

Exploit Scenarios:

1.       Attacker can social engineer a user to visit a rss/atom feed
link.
Malicious javascript gets executed in the user's browser. It is not
expected
of feeds to execute untrusted content.

2.       Attacker can upload a .rss/.atom/file with .rss(or .atom) in
name(with arbitrary extension) on a trusted site. The trusted site might
allow the upload thinking that it is not one of the executable file
formats
(like .html,.php,.asp) and hence won't get rendered in the browser[Chrome
does not execute untrusted file types, e.g. try clicking
http://securethoughts.com/security/rssatomxss/anyfile.tx]. On the
contrary,
if a user clicks on this link while being authenticated to this trusted
site, the malicious javascript does get executed in the context of trusted
site and user's credentials can get stolen.

Proof of Concept:

http://securethoughts.com/security/rssatomxss/googlechromexss.atom

http://securethoughts.com/security/rssatomxss/googlechromexss.rss

http://securethoughts.com/security/rssatomxss/googlechromexss.atom.tx [Any
arbitary file extension]

Suggested Fix: Don't render any javascript content of an RSS feed.

Opera 10 is vulnerable to the same issue. Microsoft IE7, IE8, Firefox 3.5
and Safari 4 are not vulnerable to this exploit.

I am planning to disclose this vulnerability on my blog in another 15 days
(September 23) and hope you can fix it by then.  I believe in responsible
disclosure and want to protect your users from potentially getting
exploited. Please feel free to contact me if you have any questions.

Thanks and Regards,

Inferno

Security Researcher

SecureThoughts.com <http://www.securethoughts.com/>
Sep 7, 2009
#1 abarth@chromium.org
Patch for trunk: http://codereview.chromium.org/201044
Status: Started
Owner: aba...@chromium.org
Cc: e...@chromium.org
Labels: -Pri-0 -Area-Misc Pri-1 Area-BrowserBackend
Sep 7, 2009
#2 mal.chromium@gmail.com
Setting mstone3 and cc'ing laforge to make sure we include this in 3.0.
Cc: secur...@chromium.org lafo...@chromium.org
Labels: Mstone-3
Sep 7, 2009
#3 abarth@chromium.org
(No comment was entered for this change.)
Labels: Security-Medium
Sep 7, 2009
#5 abarth@chromium.org
(No comment was entered for this change.)
Status: FixUnreleased
Sep 8, 2009
#6 bugdroid1@gmail.com
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=25657 

------------------------------------------------------------------------
r25657 | laforge@chromium.org | 2009-09-08 13:48:59 -0700 (Tue, 08 Sep 2009) | 11 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/195/src/chrome/browser/renderer_host/buffered_resource_handler.cc?r1=25657&r2=25656

Merge 25608 - Refuse to render RSS as XML by treating the response as text/plain.  This is
somewhat unfortunate, but we need to do this until we have a builtin feed
previewer.

R=mal
BUG=21238

Review URL: http://codereview.chromium.org/201044

TBR=abarth@chromium.org
Review URL: http://codereview.chromium.org/194044
------------------------------------------------------------------------

Sep 14, 2009
#7 abarth@chromium.org
How should we credit the researcher?  as Inferno?
Oct 22, 2009
#8 scarybea...@gmail.com
Removing view restriction; long since fixed...
Labels: -Restrict-View-SecurityTeam SecSeverity-Medium
Oct 22, 2009
#9 scarybea...@gmail.com
(No comment was entered for this change.)
Status: Fixed
Dec 18, 2009
#10 mal.chromium@gmail.com
(No comment was entered for this change.)
Labels: -Area-BrowserBackend Area-Internals
Mar 21, 2011
#11 jsc...@chromium.org
(No comment was entered for this change.)
Labels: Type-Security
Oct 5, 2011
#12 jsc...@chromium.org
Batch update: assuming these security changes impacted stable based on some fuzzy filtering.
Labels: SecImpacts-Stable
Oct 13, 2012
#13 bugdro...@chromium.org
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Labels: Restrict-AddIssueComment-Commit
Mar 9, 2013
#14 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -SecSeverity-Medium -Mstone-3 -Area-Internals -Type-Security -SecImpacts-Stable M-3 Cr-Internals Security-Severity-Medium Security-Impact-Stable Type-Bug-Security
Mar 13, 2013
#15 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Mar 21, 2013
#16 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Impact-Stable Security_Impact-Stable
Mar 21, 2013
#17 bugdro...@chromium.org
(No comment was entered for this change.)
Labels: -Security-Severity-Medium Security_Severity-Medium
Sign in to add a comment

Powered by Google Project Hosting