New issue
Advanced search Search tips

Issue 667135 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Dec 2016
Components:
EstimatedDays: ----
NextAction: 2016-12-05
OS: ----
Pri: 2
Type: Bug



Sign in to add a comment

Security: Running javascript from SVG and exposing the window object

Reported by michal.w...@gmail.com, Nov 20 2016 
This template is ONLY for reporting security bugs. If you are reporting a
Download Protection Bypass bug, please use the "Security - Download
Protection" template. For all other reports, please use a different
template.

Please READ THIS FAQ before filing a bug: https://www.chromium.org/Home
/chromium-security/security-faq

Please see the following link for instructions on filing security bugs:
http://www.chromium.org/Home/chromium-security/reporting-security-bugs

NOTE: Security bugs are normally made public once a fix has been widely
deployed.

VULNERABILITY DETAILS
Chrome opened an SVG file (image file) and ran a javascript script within the file, as if it was an html page. Therefore it ran a script without me possibly knowing any script could be executed.
The included script uses obfuscation to redirect to a malicious (at least to my DNS) website: http://mourad.com/php/trust.php. I did not try to visit that website. 

VERSION
Chrome Version: 53.0.2785.101
Operating System: Ubuntu 14.04

REPRODUCTION CASE
I have received this file from a friend who is a photographer, so I thought he wants to share an image with me. This way people can easily be deceived to visit unsafe websites.

Comment 1 by mea...@chromium.org, Nov 21 2016

Components: Blink>SVG
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
SVG files are active content that can run JavaScript so this seems to be working as intended. This is similar to opening an HTML file sent by someone else.

That said, I'm wondering if there are interventions we could do when the SVG file is downloaded and opened from the local file system (or whether it's worth blocking them), so I'm keeping the bug open.

Comment 2 by schenney@chromium.org, Nov 21 2016

Labels: Needs-Feedback Pri-2
NextAction: 2016-12-05
Could you please give us the exact nature of the file, and how the SVG was embedded? That is, was it an HTML file with a tag that referenced an SVG file (svg-as-image) or was it a HTML file with SVG content within it, or was is base64 encoded SVG, or something else?

It is important to know which because the rules for script blocking vary depending on how the SVG is embedded.

Comment 3 by schenney@chromium.org, Nov 21 2016

Status: Untriaged (was: Unconfirmed)

Comment 5 by schenney@chromium.org, Dec 5 2016

Status: WontFix (was: Untriaged)
It seems that there is nothing we can do about this, it indeed it is referring to the links in comment #4. It's malicious JS, sure, but there's nothing wrong with the way we're opening or executing the file as far as I know.

Given the lack of additional information, I'm closing this.

Sign in to add a comment