Issue metadata
Sign in to add a comment
|
IFRAME Zone Restriction Bypass.
Reported by
mishra.d...@gmail.com,
Jan 28 2017
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0 Steps to reproduce the problem: Create a file with the below script in it. <iframe name="abc" src="file:///C:/"></iframe> What is the expected behavior? What went wrong? This could allow an attacker to access a users filesystem within the Local Zone. The problem occurs when handling malformed HTML iframes which point to local system locations. Exploitation of this vulnerability could result in the exposure of sensitive data or could potentially lead to the corruption of system critical files. Did this work before? N/A Chrome version: 55.0.2883.87 (Official Build) m (64-bit) Channel: n/a OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 24.0 r0
,
Jan 29 2017
This vulnerability could result in the exposure of sensitive data or could potentially lead to the corruption of system critical files. However i am able to access the local file system from the iframe as well which will leads to iFrame Zone Restricted bypass.
,
Jan 30 2017
dcheng, mkwst, do you have any thoughts about file:// URLs loading other file:// URLs in iframes? I don't know if it's that much different than being allowed to load other file:// URLs in images, except perhaps that one file:// URL could clickjack another.
,
Jan 30 2017
I agree with estark@ that the normal cross-origin properties of the frame should be a reasonable defense against exfiltration. mishra.dhiraj95@: do you have specific attack scenarios in mind when you're talking about "iFrame Zone Restricted bypass"? That said, I'm surprised that we allow websites to load `file:` in an iframe. I thought we blocked that. Looking at the code, https://cs.chromium.org/chromium/src/third_party/WebKit/Source/platform/weborigin/SecurityOrigin.cpp?rcl=1485491011&l=336 seems to agree with me. I'm on a Chromebook at the moment, so I don't actually _have_ a filesystem with which to replicate the error... Emily, would you mind giving it a try?
,
Jan 30 2017
Yeah, we don't allow "real" websites to load file:// URLs in frames. AFAIU this report is just about file:// URL being able to load other file:// URLs in frames, so one file:// URL could, for example, clickjack another file:// URL.
,
Jan 30 2017
Ah. I see. `file:` can frame `file:` today, you're right. But that's a fairly different threat model than the web being able to frame `file:`. :) I guess I'm still curious about what this enables that we'd want to prevent. +lgarron@, who cares about `file:` more than I do.
,
Jan 30 2017
If file:// pages couldn't embed things from file:// origins, this would break save page. I suppose it could allow potential clickjacking attacks against files at a fixed location (poorly written management console for some local app?), but the risk doesn't seem that high. As file:// origins themselves are unique, the standard cross-origin protections still apply. Unless there's something new to consider here, I think this is WAI.
,
Jan 31 2017
I agree the risk is low and not worth breaking useful functionality. OP, please feel to free to post more detail if you think there's something we've missed. Thanks!
,
Jan 31 2017
I dont have any specific attack scenario for now, there are various different models of attack that can be performed for this moment. Request you to please have a look again because for now you may be right but a fix may be needed in future.
,
Jan 31 2017
And this works perfect for me in Mozilla : Bug id=1335301 and Edge and IE as well.
,
May 9 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by est...@chromium.org
, Jan 29 2017