New issue
Advanced search Search tips

Issue 671382 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Closed: Dec 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: ----
Type: Bug



Sign in to add a comment

Download protection: NFO files

Reported by ya...@nightwatchcybersecurity.com, Dec 5 2016

Issue description

VERSION
Chrome Version: 55.0.2883.75m stable
Operating System: Windows 7 Enterprise, Service Pack 1

REPRODUCTION CASE
1. Try the following file - download:
https://theowl.xyz/cr/nfo/test1.nfo
2. Double click to start MSInfo.

The counter will not increment - we are also attaching a test file WITHOUT a payload

NFO files have an XXE vulnerability as discussed here:
http://seclists.org/bugtraq/2016/Dec/2
 
test1.nfo
39 bytes Download
We can provide a patch

Comment 2 by ajha@chromium.org, Dec 6 2016

Labels: M-55 OS-Windows
Cc: nparker@chromium.org pbomm...@chromium.org
cc'ing  nparker@ for more insights on the bug
Thanks for the report.

In general, the Safe Browsing VRP reward doesn't apply for exploits in external handlers. We're also no longer rewarding for new file types that can be easily added to download_file_types.asciipb.  ref:

https://www.google.com/about/appsecurity/chrome-rewards/
"The extension of the binary file must be one of those that Chrome already tracks. This list can be found here: download_file_types.asciipb"

Owner: nparker@chromium.org
Labels: prestable-55.0.2883.75
Status: Untriaged (was: Unconfirmed)
Status: WontFix (was: Untriaged)

Comment 9 by vakh@chromium.org, Mar 10 2017

Labels: -Restrict-View-Google Restrict-View-SecurityTeam
For all Download Protection VRP bugs: removing label Restrict-View-Google and adding Restrict-View-SecurityTeam instead.
Project Member

Comment 10 by sheriffbot@chromium.org, Mar 25 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment