Issue metadata
Sign in to add a comment
|
Security: Buffer Overflow
Reported by
pabster...@gmail.com,
Feb 28 2016
|
||||||||||||||||||
Issue descriptionThis template is ONLY for reporting security bugs. Please use a different template for other types of bug reports. Please see the following link for instructions on filing security bugs: http://www.chromium.org/Home/chromium-security/reporting-security-bugs VULNERABILITY DETAILS Buffer Overflow when putting too much stuff in a return on a onbeforeunload. What happens is that the full path is disclosed and it also gives some more maybe meaningful stuff. The thing is that the original HTML is overwritten and maybe by maniputating it it may be possible to perform RCE or other dangerous stuff. It is also possible to use that attack on another website to get the full path and more. VERSION Chrome Version: Newest Operating System: Macintosh FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION Type of crash: [tab, browser, etc.] Crash State: [see link above: stack trace, registers, exception record] Client ID (if relevant): [see link above]
,
Feb 28 2016
It does not have to be in a return on onbeforeunload
,
Feb 28 2016
Wait the file there is wrong
,
Feb 28 2016
The file I linked has the result, what gives out that is putting 418143 characters in <!DOCTYPE html> <html> <body onbeforeunload="return myFunction()"> <p>Close this window, press F5 or click on the link below to invoke the onbeforeunload event.</p> <a href="http://www.w3schools.com">Click here to go to w3schools.com</a> <script> function myFunction() { return "the 418143 char"; } </script> </body> </html>
,
Feb 29 2016
ClusterFuzz is analyzing your testcase. Developers can follow the progress at https://cluster-fuzz.appspot.com/testcase?key=6239157355020288
,
Feb 29 2016
Thanks for the report. However, I cannot reproduce this, with either the testcase in the original report, or the one in #4. Please post a stack trace or a crash ID. Until then, I'm marking this as WontFix.
,
Mar 1 2016
After I reviewed my steps I do not understand what is actually happening here. When I created the file, I moved it to my desktop, when moving it there, the file re-wrote its source code and changed it to the content I showed in the original report. It seems to be something strange, I tested it and tried it on another website and on Chrome it gives me an empty response or a 400 or in some websites they just keep on loading and never finish loading. Sorry if the next question sounds stupid, but how do you get the stack trace if there is no crash? (the tab crashes when you put it in any HTML editor online but I suppose that is not the issue).
,
Mar 1 2016
If you have a reproducible crash can you go to Chrome://crashes and paste the crash ID here. Make sure you have crash reporting enabled.
,
Mar 1 2016
It might have also re-written its source code while displaying it in Chrome, it took some time to load for the first time and since it took a few seconds. But if that were possible then it would be alot more dangerous.
,
Mar 1 2016
Ok, Crash ID 0a1ae4d400000000 (6c4a44c6-e97f-4eda-ad2d-1e7c0bf65e78)
,
Mar 1 2016
Crash when putting it in an online HTML editor, works on all of the ones I have tried
,
Jun 7 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
|
|||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||
Comment 1 by pabster...@gmail.com
, Feb 28 2016