New issue
Advanced search Search tips

Issue 691885 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Feb 2017
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

JavaScript Key Filtering Vulnerability

Reported by mishra.d...@gmail.com, Feb 14 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:54.0) Gecko/20100101 Firefox/54.0

Steps to reproduce the problem:
Works for me in Chrome : Stable in Win 7 

1. Open hide.html 

What is the expected behavior?

What went wrong?
Multiple web browsers are prone to a JavaScript key-filtering vulnerability because the browsers fail to securely handle keystroke input from users.

This issue is demonstrated to allow attackers to divert keystrokes from one input form in a webpage to a hidden file-upload dialog in the same page. This may allow remote attackers to initiate file uploads from unsuspecting users. Other attacks may also be possible.

Exploiting this issue requires that users manually type the full path of files that attackers wish to download. This may require substantial typing from targeted users, so attackers will likely use keyboard-based games, blogs, or other similar pages to entice users to enter the required keyboard input to exploit this issue.

Did this work before? N/A 

Chrome version: 56.0.2924.87 (Official Build) (64-bit)  Channel: stable
OS Version: 6.1 (Windows 7, Windows Server 2008 R2)
Flash Version: Shockwave Flash 24.0 r0
hide.html
1.3 KB View Download

Comment 1 by elawrence@chromium.org, Feb 14 2017 

I remember this cool vulnerability that existed in browsers back around 2006.

This repro page doesn't do anything in Chrome 56, and I don't think it would do anything in any earlier version of Chrome (all the way back to 1.0) either. That's because Chrome doesn't accept keyboard input (except spacebar, which opens the File Open dialog) in the File Upload control. 

Are you copying old vulnerabilities from some other bug database to Chrome's for some reason?

Comment 2 by elawrence@chromium.org, Feb 14 2017

Labels: -Restrict-View-SecurityTeam allpublic
Status: WontFix (was: Unconfirmed)
Public Disclosure from 2007 - http://www.securityfocus.com/bid/26669/discuss

Please do not file vulnerabilities that are not reproducible in Chrome. Please do not copy/paste vulnerabilities and descriptions from public sources without making clear that you have done so.

Comment 3 by mishra.d...@gmail.com, Feb 14 2017 

Nope, after reading the comment and searching I found security focus has the cve id for the similar issue.
I wasn't aware that this is an 2006 bug and already reported or I would have submitted it by giving a reference by upstream bug id from chromium if I would have found.

Comment 4 by elawrence@chromium.org, Feb 14 2017 

Your report includes verbatim strings copied from the 2007 Security Focus page.

Sign in to add a comment