New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 648965 link

Starred by 1 user
Status: WontFix
Owner:
tsepez@chromium.org
Closed: Sep 2016
Cc:
mkwst@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

XSS Auditor Bypass using PHP var_export and print_r

Reported by aravind....@gmail.com, Sep 21 2016 

VULNERABILITY DETAILS
I found a security flaw that allows an attacker to bypass the xss auditor.
This basically occurs due to the bad use of PHP function var_export and print_r.

VERSION
Chrome Version: [53.0.2785.116 (64-bit)] + [stable]
Operating System: [BackboxLinux, 14.04.1-Ubuntu SMP]

REPRODUCTION CASE
I have attached a php file as well as the screenshots of the possible attack.
chrome_version_that_i_am_using.png
60.2 KB View Download
thepayload.png
28.8 KB View Download
print_rXSSRan.png
33.1 KB View Download
var_exportFuncRan.png
34.9 KB View Download
exp.php
166 bytes View Download

Comment 1 by elawrence@chromium.org, Sep 21 2016

Components: Blink>SecurityFeature
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Summary: XSS Auditor Bypass using PHP var_export and print_r (was: Security: XSS Auditor Bypass vulnerebility)
I am unclear on whether the XSS Auditor attempts to sanitize navigations of this form (e.g. localhost, not cross-origin); I don't think the repro script looks very interesting, and the <SCRIPT> is plainly in the request URL.

As a "best effort" feature, XSS Auditor bypasses are not considered security bugs; changing bug type. https://www.chromium.org/Home/chromium-security/security-faq#TOC-Are-XSS-filter-bypasses-considered-security-bugs-

Comment 2 by tsepez@chromium.org, Sep 21 2016 

Hi, what would be helpful for me is rather than trying to run your PHP script, would be if you could provide me with:

The portion of the URL containing the XSS payload, and
The output from the server (e.g. view-source) that invokes the script.

Comment 3 by tsepez@chromium.org, Sep 21 2016

Cc: mkwst@chromium.org
Owner: tsepez@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 4 by tsepez@chromium.org, Sep 21 2016 

Looking at the PHP man page for print_r(), it's going to introduce stray punctuation (e.g. the => in "[x] => y") that wasn't in the original input.  XSSAuditor can't guard against every possible transformation, and I don't think this is one we want to cover.

Still looking at var_export.

Comment 5 by tsepez@chromium.org, Sep 21 2016

Status: WontFix (was: Assigned)
Ditto with var_export(), it introduces "=>" in the middle of the expression.  

I think that we're going to choose not to cover these particular server-side transformations.

Sign in to add a comment