New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 147625 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Sep 2012
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 1
Type: Bug-Security



Sign in to add a comment

Security: UXSS/SOP bypass with document.write (Chrome on iOS)

Reported by lpil...@gmail.com, Sep 10 2012

Issue description

VULNERABILITY DETAILS
It is possible to get cross-domain JavaScript access using document.write:
http://runic.pl/testy/ipad/uxss.html

VERSION
Chrome Version: Chrome 21.0.1180.80 stable
Operating System: iOS 5.1.1 (iPad 2)

REPRODUCTION CASE
http://runic.pl/testy/ipad/uxss.html

May be also related to http://code.google.com/p/chromium/issues/detail?id=146760

 

Comment 1 by palmer@chromium.org, Sep 10 2012

Cc: astrange@chromium.org palmer@chromium.org whitelaw@chromium.org pinkerton@chromium.org
Labels: -Pri-0 -Area-Undefined Pri-1 Area-Internals OS-iOS Mstone-22 SecImpacts-Stable
Owner: qsr@chromium.org
Status: Assigned
Assigning to qsr on the assumption that it is related to http://code.google.com/p/chromium/issues/detail?id=146760.

This does work on iPod/iPhone, not just iPad. The alert does fire, so the script does get injected to the other domain, although the pop-up box has "about://null" in its title bar, and the Omnibox shows "about:blank" instead of example.com. But the contents  of IANA's example.com page do indeed show up in the pop-up.

Comment 2 by palmer@chromium.org, Sep 10 2012

Labels: reward-topanel
This is being tracked by b/7143205.

Comment 4 by qsr@chromium.org, Sep 11 2012

 This was not related to http://code.google.com/p/chromium/issues/detail?id=146760.

 This was due to not passing a baseURL when loading an HTML string in a webview, resulting in the internal URL of the webview being applewebdata://XXXX which seems to be able to do anything it wants, X-Origin.

 Fixed.

Comment 5 by qsr@chromium.org, Sep 11 2012

Status: Fixed

Comment 6 by palmer@chromium.org, Sep 24 2012

Labels: SecSeverity-High

Comment 7 by lpil...@gmail.com, Sep 25 2012

I confirm it's fixed in 21.0.1180.82, thanks.

Comment 8 by palmer@chromium.org, Sep 25 2012

Cc: kerz@chromium.org
Labels: -Mstone-22 Mstone-21
pinkerton (or anybody), I take it this one also made it into M21 after all?

Again, sorry kerz. How shall we announce these fixes in release notes? Issue a correction in the M23 release notes?
From qsr: "Pushed to B21 as cc06e1047cad8baa74320533a2322818a79d8f6f"


Comment 10 by palmer@google.com, Sep 26 2012

lpilorz, how would you like us to credit you in the Chrome release notes? As Lukasz Pilorz, or in some other way?

Comment 11 by palmer@google.com, Sep 26 2012

(Rather, I assume, Łukasz Pilorz. Took me a while to find the right Compose key combination on Linux. :))

Comment 12 by lpil...@gmail.com, Sep 26 2012

"Łukasz Pilorz" would be great, thanks :)
Labels: CVE-2012-2899
Labels: -reward-topanel reward-500 reward-unpaid
Labels: -reward-unpaid
Payment ready for wire as part of $1000 batch
Project Member

Comment 16 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -Area-Internals -Mstone-21 -SecImpacts-Stable -SecSeverity-High Security-Impact-Stable M-21 Cr-Internals Security-Severity-High Type-Bug-Security
Labels: -Restrict-View-SecurityTeam
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-High Security_Severity-High
Project Member

Comment 19 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member

Comment 20 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 21 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 2 2016

Labels: Restrict-View-SecurityNotify
Labels: allpublic
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 3 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: CVE_description-submitted

Sign in to add a comment