| Issue 40445: | Cross Origin Bypass using iframe & " " on JAVASCRIPT URI | |
| 5 people starred this issue and may be notified of changes. | Back to list |
Sign in to add a comment
|
similare to 37383 TESTCASE : http://www.alternativ-testing.fr/googlechrossfd156d4f84dssd89v4ffd984/crossoriginbypass.html code : <iframe name="test" src="http://www.google.fr"></iframe> <input type=button value="test" onclick="window.open('[%09]javascri[%09]pt:alert(document.cookie)','test')" >
,
Apr 5, 2010
Issue 40446 has been merged into this issue.
,
Apr 5, 2010
Sorry for the 2nd issue reported .
,
Apr 5, 2010
No worries Jconsultant. thank you very much for this bug.
ccing Adam and Justin to see what they think of this solution.
We need to canonicalize url using KURL at various places and NOT use it directly with
valueToStringWith*.
currently it is used like
String urlString = valueToStringWithUndefinedOrNullCheck(exec, args.at(0));
whereas is it should be
KURL url(ParsedURLString, toWebCoreStringWithNullOrUndefinedCheck(args[0]));
String urlString = url.string();
(this nullifies the exploit completely)
affected files (rough estimate, can be +/-)::
trunk/src/third_party/WebKit/WebCore/bindings/js/JSDOMWindowCustom.cpp
trunk/src/third_party/WebKit/WebCore/bindings/js/JSWebSocketConstructor.cpp
trunk/src/third_party/WebKit/WebCore/bindings/v8/custom/V8DOMWindowCustom.cpp
trunk/src/third_party/WebKit/WebCore/platform/chromium/PasteboardChromium.cpp
trunk/src/third_party/WebKit/WebCore/bindings/js/JSHistoryCustom.cpp
trunk/src/third_party/WebKit/WebCore/bindings/js/JSElementCustom.cpp
trunk/src/third_party/WebKit/WebCore/bindings/js/JSHTMLIFrameElementCustom.cpp
trunk/src/third_party/WebKit/WebCore/bindings/js/JSHTMLFrameElementCustom.cpp
,
Apr 5, 2010
I have also reported a website XSS using %09 unicode on javascript URI scheme (Issue http://code.google.com/p/chromium/issues/detail?id=39993). But this new issue is realy more critical. SecSeverity-High ?
,
Apr 5, 2010
Yes Jconsultant, this issue is definitely critical and explains in detail how the cross origin exploit can work. marking severity as high. after analyzing, the tentative list boils down to the files listed below. i will fix both the safari js bindings and chrome v8 bindings. M bindings\js\JSElementCustom.cpp M bindings\js\JSHTMLFrameElementCustom.cpp M bindings\js\JSHistoryCustom.cpp M bindings\js\JSHTMLIFrameElementCustom.cpp M bindings\js\JSDOMWindowCustom.cpp M bindings\v8\custom\V8DOMWindowCustom.cpp
Labels: -Area-Undefined Area-WebKit SecSeverity-High
,
Apr 5, 2010
(No comment was entered for this change.)
Cc: jsc...@chromium.org
,
Apr 5, 2010
reported upstream.
,
Apr 5, 2010
I would like to thank you for your rapid answer :-) . So , this bug is valid for proposed Chromium-Security-Reward?
,
Apr 5, 2010
@jconsultant.chancel: I will ask the panel about a reward right away. Good bug, thanks.
,
Apr 5, 2010
BTW, what would you like us to use as a credit for you? <Name> <of optional affiliation>.
,
Apr 5, 2010
Name : Jordi Chancel
,
Apr 5, 2010
Correction, just my name will be enough.
,
Apr 6, 2010
forgot to include upstream bug url https://bugs.webkit.org/show_bug.cgi?id=37128
,
Apr 6, 2010
adding Dimitri to cc list so that he can review my cl for v8 bindings.
Cc: dglaz...@chromium.org
,
Apr 6, 2010
\u0000javascri[%09]pt:alert(document.cookie) can bypass Cross-Origin as well .
,
Apr 6, 2010
TESTCASE2 : http://www.alternativ-testing.fr/googlechrossfd156d4f84dssd89v4ffd984/crossoriginbypass-2.html
,
Apr 6, 2010
thanks Jordi, our fix should fix all these variants.
,
Apr 7, 2010
Adding Brett.
Cc: -dglaz...@chromium.org bre...@chromium.org
,
Apr 7, 2010
(No comment was entered for this change.)
Labels: Mstone-5
,
Apr 7, 2010
@Jordi Chancel: thanks again for the report! Subject to continuing responsible disclosure, the panel would like to reward you $1000! Congrats. We normally fix security bugs very fast indeed. But there are substantial complications to fix this one, so please bear with us whilst we work through them.
Labels: Reward-1000
,
Apr 7, 2010
Thank you very much for this reward !
,
Apr 7, 2010
BTW, when do you want my personal adress for the reward's sending?
,
Apr 7, 2010
I'll generally reach out to you for needed details once we're about to release a patch with the fix.
,
Apr 8, 2010
Bug is reviewed in http://codereview.chromium.org/1558030 and patched in googleurl library - http://code.google.com/p/google-url/source/detail?r=129. Brett is helping to pull up this patched googleurl into our chrome code.
,
Apr 8, 2010
The following revision refers to this bug:
http://src.chromium.org/viewvc/chrome?view=rev&revision=43991
------------------------------------------------------------------------
r43991 | inferno@chromium.org | 2010-04-08 12:49:53 -0700 (Thu, 08 Apr 2010) | 6 lines
Changed paths:
M http://src.chromium.org/viewvc/chrome/branches/249/src/DEPS?r1=43991&r2=43990
Pull r130 of googleurl.
BUG=40445
TEST=unit test on the googleurl side
Review URL: http://codereview.chromium.org/1512027
------------------------------------------------------------------------
,
Apr 8, 2010
The following revision refers to this bug:
http://src.chromium.org/viewvc/chrome?view=rev&revision=43996
------------------------------------------------------------------------
r43996 | brettw@chromium.org | 2010-04-08 13:06:55 -0700 (Thu, 08 Apr 2010) | 5 lines
Changed paths:
M http://src.chromium.org/viewvc/chrome/trunk/src/DEPS?r1=43996&r2=43995
Pull r129 of googleurl, plus r130 which adds a newline for the Mac.
BUG=40445
TEST=unit test on the googleurl side
Review URL: http://codereview.chromium.org/1604018
------------------------------------------------------------------------
,
Apr 8, 2010
Should be fixed in r40445, this has not yet been pulled to any branches.
Status: Fixed
,
Apr 8, 2010
Lets keep this in FixUnreleased, until we release it in stable.
Status: FixUnreleased
,
Apr 8, 2010
Yeah. It won't make the imminent patch, but should be OK to merge for the next one, Abhishek? (Once the branch is open again?)
,
Apr 8, 2010
Ok looks like it will make the imminent patch.
Labels: -Mstone-5 Mstone-4.1
,
Apr 13, 2010
The GURL update did not work on the 249 branch, so this will not be fixed in the next 249 update. I'll consider branching GURL to get this fix in if it looks like Chrome 5 is going to slip much later.
Labels: -Mstone-4.1 Mstone-5
,
Apr 13, 2010
Aha, is this because pulling in the latest GURL involved 9 patches other than the security fix? I think we should target another 4.1 patch, with this fix plus the fix Justin is working on for another related issue.
,
Apr 14, 2010
Resolved for the next stable update ?
,
Apr 23, 2010
Jordi, an update for you. We are releasing the fix in the upcoming v4.1 patch. You will be credited in the release notes. Thanks again for this great bug.
,
Apr 23, 2010
Thank you for this information. Have you an idea of the release's date?
,
Apr 23, 2010
unsure on the exact date, but sometime early next week.
,
May 18, 2010
Was fixed in 4.1.249.1064
Status: Fixed
Labels: -Restrict-View-SecurityTeam
,
Oct 10, 2010
A note for the official record. It turns out this bug was publicly disclosed prior to the fix being released: https://www.alternativ-testing.fr/blog/index.php?post/2010/Google-Chrome-Cross-Origin-Vulnerability An early disclosure such as this would typically cancel any provisionally offered reward. Whilst disclosure, blogging, etc. of fixed bugs is encouraged, it is preferred if the fixes are available to users before any external disclosures.
,
Oct 12, 2010
An asshole? Jordi give the money back.
,
Oct 12, 2010
(No comment was entered for this change.)
Labels: Restrict-AddIssueComment-Commit
,
Mar 21, 2011
(No comment was entered for this change.)
Labels: Type-Security
,
Oct 4, 2011
Batch update.
Labels: SecImpacts-Stable
|
||||||||||
| ► Sign in to add a comment | |||||||||||
Owner: infe...@chromium.org