New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Jan 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Security



Sign in to add a comment
link

Issue 112325: Security: Copy-paste preserves <embed> tags containing active content

Reported by mdempsky@google.com, Feb 1 2012 Project Member

Issue description

VULNERABILITY DETAILS
Copying an HTML snippet that includes an <embed> tag and then pasting into a content-editable div box (e.g., gmail compose area) can result in XSS on the pastee host page.

Credit: This was originally reported to Google Security by Subho Halder, Aditya Gupta, and Dev Kar of xys3c (xysec.com).

VERSION
Chrome Version: 17.0.963.44 beta
Operating System: Ubuntu 10.04

REPRODUCTION CASE
http://shinobi.dempsky.org/~matthew/misc/copy-paste-xss/
This also works across if the contenteditable div is within a page in a different origin.
 

Comment 1 by skylined@chromium.org, Feb 2 2012

Labels: -Pri-0 -Area-Undefined Pri-2 Area-WebKit OS-All SecImpacts-Stable SecSeverity-Medium Mstone-16 WebKit-Editing
Status: Available
Confirmed to work by pasting into this rich edit control sample:
http://samples.msdn.microsoft.com/workshop/samples/author/editing/HTML_Editor/StepThree_A.htm

The repro also works with drag+drop, which may be easier to trick a user into doing. Assigning Severity Medium (not High because of required user interaction).

This is WebKit specific and it also affects Safari.

Comment 2 by skylined@chromium.org, Feb 2 2012

Upstream:https://bugs.webkit.org/show_bug.cgi?id=77625

Btw. the payload is an EMBED tag that loads an .swf file of an attacker controlled server. The Flash object has access to the DOM of the page in which the HTML snippet is pasted.

Comment 3 by rniwa@chromium.org, Feb 2 2012

Cc: rniwa@chromium.org
Please cc me on the WebKit  bug 77625 .

Comment 4 by infe...@chromium.org, Feb 2 2012

done!

Comment 5 by infe...@chromium.org, Feb 14 2012

Labels: -Mstone-16 Mstone-17
moving m16 bugs to m17.

Comment 6 by skylined@chromium.org, Mar 1 2012

Hey Ryosuke, I noticed in the WebKit bug that things stalled after you asked for help. Could you try to get things going again?

Comment 7 by infe...@chromium.org, Mar 7 2012

 Issue 117183  has been merged into this issue.

Comment 8 by infe...@chromium.org, Mar 7 2012

Cc: secur...@xysec.com

Comment 9 by infe...@chromium.org, Mar 7 2012

security@xysec.com, do you want to register on bugs.webkit.org, so that we can cc you on the upstream bug ?

Comment 10 by secur...@xysec.com, Mar 7 2012

Registered on bugs.webkit.org with the email security@xysec.com.Please CC.
Thanks.

Comment 11 by infe...@chromium.org, Mar 29 2012

Labels: -Mstone-17 Mstone-18
Updating milestone. m18 is already out.

Comment 12 by kareng@google.com, Mar 30 2012

Labels: -Mstone-18 Mstone-20

Comment 13 by kareng@google.com, Mar 30 2012

Labels: MovedFrom18

Comment 14 by infe...@chromium.org, Mar 30 2012

Labels: -Mstone-20 -MovedFrom18 Mstone-18
Reverting wrong marking of security bugs by release management.

Comment 15 by infe...@chromium.org, May 16 2012

Labels: -Mstone-18 Mstone-19
m19 is out, moving milestone m18 bugs to m19.

Comment 16 by scarybea...@gmail.com, Jun 18 2012

Labels: reward-topanel

Comment 17 by jsc...@chromium.org, Jun 29 2012

Labels: -Mstone-19 Mstone-20
Bulk Edit: m20 is shipped. Rolling open m19 bugs forward.

Comment 18 by rniwa@chromium.org, Jul 11 2012

Cc: tony@chromium.org dcheng@chromium.org abarth@chromium.org

Comment 19 by infe...@chromium.org, Aug 1 2012

Labels: -Mstone-20 Mstone-21 SecImpacts-Beta

Comment 20 by infe...@chromium.org, Aug 2 2012

Labels: Security-CodeYellow
Please do read Mark's email titled "Code Yellow: Security Bug Backlog" on chrome-team mailing list.

Comment 21 by infe...@chromium.org, Aug 16 2012

Cc: ojan@chromium.org
What do other browsers do in this case ? Do we wanna to keep this bug open ?

Comment 22 by secur...@xysec.com, Oct 7 2012

Webkit community has still not come into a proper decision !

Comment 23 by scarybea...@gmail.com, Oct 8 2012

Labels: -Mstone-21 Mstone-24
Owner: abarth@chromium.org
Status: Assigned
Adam, didn't you express an interest in this one?
If not, perhaps Tom?

Seems this one is indeed getting a bit long in the tooth.

Comment 24 by palmer@chromium.org, Dec 7 2012

Cc: nlidz@google.com
If we are already stripping script (e.g. event handlers in divs), it seems obvious to also strip embeds. What's the confusion?

The Gmail people are concerned about this problem.

Comment 25 by tsepez@chromium.org, Dec 8 2012

This is on the WebKit side of things, so we have to accomodate everybody, and some clients want it one way and other clients insist it not be changed.  To appease everyone, this needs to be a new setting, and I started to cobble up a patch to add the plumbing, but I didn't finish.

Comment 26 by secur...@xysec.com, Dec 22 2012

>If we are already stripping script (e.g. event handlers in divs), it seems obvious to also strip embeds. What's the confusion?

On the WebKit side, Apple's Mail uses object element to represent attachments. But stripping of the embed tag only on pasting event still doesn't collides with this feature ! I dont get it why such a simple stripping of an embed element is going to block the feature?

Comment 27 by tsepez@chromium.org, Jan 8 2013

Cc: darin@chromium.org

Comment 28 Deleted

Comment 29 by secur...@xysec.com, Jan 8 2013

It seems like webkit has just fixed it from their end.
Changelog : http://trac.webkit.org/changeset/139111

Comment 30 by tsepez@chromium.org, Jan 8 2013

Yeah, that was my patch in 139111.  There's a (hopefully) 1-line change to chromium that's required to take advantage of this.

Comment 31 by secur...@xysec.com, Jan 10 2013

yup, that was a nice patch, had gone through your patch, seems a better solution. Hope chromium implements this soon, this bug is open for nearly 11 months !

Comment 32 by tsepez@chromium.org, Jan 14 2013

Status: tsepezchromium.org

Comment 33 by tsepez@chromium.org, Jan 14 2013

Owner: tsepez@chromium.org
Status: Assigned

Comment 34 by bugdroid1@chromium.org, Jan 15 2013

Project Member
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=176856

------------------------------------------------------------------------
r176856 | tsepez@chromium.org | 2013-01-15T08:42:11.841167Z

Changed paths:
   M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/webpreferences.cc?r1=176856&r2=176855&pathrev=176856

Copy-paste preserves <embed> tags containing active content.
BUG= 112325 

Enable webkit preference for Chromium to disallow unsafe plugin pasting.

Review URL: https://chromiumcodereview.appspot.com/11884025
------------------------------------------------------------------------

Comment 35 by tsepez@chromium.org, Jan 15 2013

Labels: -Restrict-View-SecurityTeam -Mstone-24 Restrict-View-SecurityNotify Mstone-26
Status: Fixed
I'd suggest *not* merging this to m25 and just letting it roll out; some folks might be disrupted.

Comment 36 by scarybea...@gmail.com, Jan 15 2013

Labels: Release-0
Good idea, Tom! Thanks for pushing this through.

BTW, if we're just going to let this roll into M26 then we should also set the "Release-0" label since the bug does affect shipping stable Chrome.

Comment 37 by scarybea...@gmail.com, Jan 22 2013

Labels: -reward-topanel

Comment 38 by bugdroid1@chromium.org, Mar 10 2013

Project Member
Labels: -Type-Security -Area-WebKit -SecImpacts-Stable -SecSeverity-Medium -WebKit-Editing -Mstone-26 -SecImpacts-Beta Cr-Content Security-Impact-Stable Cr-Content-Editing Security-Impact-Beta Security-Severity-Medium M-26 Type-Bug-Security

Comment 39 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Stable Security_Impact-Stable

Comment 40 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Severity-Medium Security_Severity-Medium

Comment 41 by bugdroid1@chromium.org, Mar 21 2013

Project Member
Labels: -Security-Impact-Beta Security_Impact-Beta

Comment 42 by scarybea...@gmail.com, Mar 23 2013

Labels: CVE-2013-0926

Comment 43 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content Cr-Blink

Comment 44 by bugdroid1@chromium.org, Apr 6 2013

Project Member
Labels: -Cr-Content-Editing Cr-Blink-Editing

Comment 45 by jsc...@chromium.org, Nov 18 2013

Labels: -Restrict-View-SecurityNotify
Bulk release of old security bug reports.

Comment 46 by sheriffbot@chromium.org, Jun 14 2016

Project Member
Labels: -security_impact-beta

Comment 47 by sheriffbot@chromium.org, Oct 1 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 48 by sheriffbot@chromium.org, Oct 2 2016

Project Member
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 49 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 50 by awhalley@chromium.org, Apr 25 2018

Labels: CVE_description-submitted

Sign in to add a comment