Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 112325 Security: Copy-paste preserves <embed> tags containing active content
Starred by 2 users Reported by mdempsky@google.com, Feb 1 2012 Back to list
Status: Fixed
Owner:
Closed: Jan 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment
VULNERABILITY DETAILS
Copying an HTML snippet that includes an <embed> tag and then pasting into a content-editable div box (e.g., gmail compose area) can result in XSS on the pastee host page.

Credit: This was originally reported to Google Security by Subho Halder, Aditya Gupta, and Dev Kar of xys3c (xysec.com).

VERSION
Chrome Version: 17.0.963.44 beta
Operating System: Ubuntu 10.04

REPRODUCTION CASE
http://shinobi.dempsky.org/~matthew/misc/copy-paste-xss/
This also works across if the contenteditable div is within a page in a different origin.
 
Labels: -Pri-0 -Area-Undefined Pri-2 Area-WebKit OS-All SecImpacts-Stable SecSeverity-Medium Mstone-16 WebKit-Editing
Status: Available
Confirmed to work by pasting into this rich edit control sample:
http://samples.msdn.microsoft.com/workshop/samples/author/editing/HTML_Editor/StepThree_A.htm

The repro also works with drag+drop, which may be easier to trick a user into doing. Assigning Severity Medium (not High because of required user interaction).

This is WebKit specific and it also affects Safari.
Upstream:https://bugs.webkit.org/show_bug.cgi?id=77625

Btw. the payload is an EMBED tag that loads an .swf file of an attacker controlled server. The Flash object has access to the DOM of the page in which the HTML snippet is pasted.
Comment 3 by rniwa@chromium.org, Feb 2 2012
Cc: rniwa@chromium.org
Please cc me on the WebKit  bug 77625 .
done!
Labels: -Mstone-16 Mstone-17
moving m16 bugs to m17.
Hey Ryosuke, I noticed in the WebKit bug that things stalled after you asked for help. Could you try to get things going again?
 Issue 117183  has been merged into this issue.
Cc: secur...@xysec.com
security@xysec.com, do you want to register on bugs.webkit.org, so that we can cc you on the upstream bug ?
Registered on bugs.webkit.org with the email security@xysec.com.Please CC.
Thanks. 
Labels: -Mstone-17 Mstone-18
Updating milestone. m18 is already out.
Comment 12 by kareng@google.com, Mar 30 2012
Labels: -Mstone-18 Mstone-20
Comment 13 by kareng@google.com, Mar 30 2012
Labels: MovedFrom18
Labels: -Mstone-20 -MovedFrom18 Mstone-18
Reverting wrong marking of security bugs by release management.
Labels: -Mstone-18 Mstone-19
m19 is out, moving milestone m18 bugs to m19.
Labels: reward-topanel
Labels: -Mstone-19 Mstone-20
Bulk Edit: m20 is shipped. Rolling open m19 bugs forward.
Comment 18 by rniwa@chromium.org, Jul 11 2012
Cc: tony@chromium.org dcheng@chromium.org abarth@chromium.org
Labels: -Mstone-20 Mstone-21 SecImpacts-Beta
Labels: Security-CodeYellow
Please do read Mark's email titled "Code Yellow: Security Bug Backlog" on chrome-team mailing list.
Cc: ojan@chromium.org
What do other browsers do in this case ? Do we wanna to keep this bug open ?
Webkit community has still not come into a proper decision !
Labels: -Mstone-21 Mstone-24
Owner: abarth@chromium.org
Status: Assigned
Adam, didn't you express an interest in this one?
If not, perhaps Tom?

Seems this one is indeed getting a bit long in the tooth.
Cc: nlidz@google.com
If we are already stripping script (e.g. event handlers in divs), it seems obvious to also strip embeds. What's the confusion?

The Gmail people are concerned about this problem.
This is on the WebKit side of things, so we have to accomodate everybody, and some clients want it one way and other clients insist it not be changed.  To appease everyone, this needs to be a new setting, and I started to cobble up a patch to add the plumbing, but I didn't finish. 
Comment 26 by secur...@xysec.com, Dec 22 2012
>If we are already stripping script (e.g. event handlers in divs), it seems obvious to also strip embeds. What's the confusion?

On the WebKit side, Apple's Mail uses object element to represent attachments. But stripping of the embed tag only on pasting event still doesn't collides with this feature ! I dont get it why such a simple stripping of an embed element is going to block the feature?
Cc: darin@chromium.org
Comment 28 Deleted
It seems like webkit has just fixed it from their end.
Changelog : http://trac.webkit.org/changeset/139111
Yeah, that was my patch in 139111.  There's a (hopefully) 1-line change to chromium that's required to take advantage of this.  
Comment 31 by secur...@xysec.com, Jan 10 2013
yup, that was a nice patch, had gone through your patch, seems a better solution. Hope chromium implements this soon, this bug is open for nearly 11 months !
Status: tsepezchromium.org
Owner: tsepez@chromium.org
Status: Assigned
Project Member Comment 34 by bugdroid1@chromium.org, Jan 15 2013
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=176856

------------------------------------------------------------------------
r176856 | tsepez@chromium.org | 2013-01-15T08:42:11.841167Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/webpreferences.cc?r1=176856&r2=176855&pathrev=176856

Copy-paste preserves <embed> tags containing active content.
BUG= 112325 

Enable webkit preference for Chromium to disallow unsafe plugin pasting.

Review URL: https://chromiumcodereview.appspot.com/11884025
------------------------------------------------------------------------
Labels: -Restrict-View-SecurityTeam -Mstone-24 Restrict-View-SecurityNotify Mstone-26
Status: Fixed
I'd suggest *not* merging this to m25 and just letting it roll out; some folks might be disrupted.
Labels: Release-0
Good idea, Tom! Thanks for pushing this through.

BTW, if we're just going to let this roll into M26 then we should also set the "Release-0" label since the bug does affect shipping stable Chrome.
Labels: -reward-topanel
Project Member Comment 38 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -SecImpacts-Stable -SecSeverity-Medium -WebKit-Editing -Mstone-26 -SecImpacts-Beta Cr-Content Security-Impact-Stable Cr-Content-Editing Security-Impact-Beta Security-Severity-Medium M-26 Type-Bug-Security
Project Member Comment 39 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 40 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 41 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Beta Security_Impact-Beta
Labels: CVE-2013-0926
Project Member Comment 43 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 44 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content-Editing Cr-Blink-Editing
Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Project Member Comment 46 by sheriffbot@chromium.org, Jun 14 2016
Labels: -security_impact-beta
Project Member Comment 47 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 48 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment