New issue
Advanced search Search tips

Issue 696254 link

Starred by 1 user
Status: WontFix
Owner:
lafo...@chromium.org
Closed: Mar 2017
Cc:
tommycli@chromium.org
kerrnel@chromium.org
lafo...@chromium.org
waff...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 2
Type: Bug-Security



Sign in to add a comment

Embed/Object probe passing security policy for SWF files

Reported by juliedso...@hotmail.com, Feb 26 2017 
UserAgent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce the problem:
1. Enable SWF, And use a HTML embedded tag.

What is the expected behavior?
Block and ask user to allow the action to be performed.

What went wrong?
<embed with a type="application/x-shockwave-flash" seems to be allowing any SWF file to be trusted by browser. The browser may have flash configured on: "Detect and execute import flash content". On some page it's blocked, But on a direct access it's not. Javascript says depending of the file "that flash's not enabled" but it works on direct access..

E.g Code:

<embed wmode="transparent" src="" quality="high" flashvars="" width="1" height="1" allowscriptaccess="sameDomain" type="application/x-shockwave-flash" />

Second:

<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="//fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="1" height="1">
<param name="allowScriptAccess" value="sameDomain" />
<param name="movie" value="http://domain.com/a.swf" />
<param name="quality" value="high" />
<param name="FlashVars" value="--" /><param name="wmode" value="transparent" />
<embed src="http://domain.com/a.swf" quality="high" wmode="transparent" width="1" height="1" FlashVars="--" align="middle" allowScriptAccess="sameDomain" type="application/x-shockwave-flash" pluginspage="" />
</object>

P.S: I have tested it just with 5 files, Then i can be wrong. But Whatever, It's not the best way to make the browser most secure.

Thanks.

Did this work before? Yes 

Chrome version: 56.0.2924.87  Channel: stable
OS Version: 6.3
Flash Version: Shockwave Flash 24.0 r0

Comment 1 by kerrnel@chromium.org, Feb 27 2017

Cc: kerrnel@chromium.org
Labels: Needs-Feedback
Thanks for the report, but unfortunately I do not yet understand the exact vulnerability. 

"On some page it's blocked, But on a direct access it's not." --> how do you define a direct access? Are you saying that Chrome is allowing flash content to run by default when it should be blocked?

Comment 2 by juliedso...@hotmail.com, Feb 27 2017 

I have made a mistake saying on "Direct Access".

So, Here we go:

Check: 
data:text/html,<embed src="http://ANYTHINGHERE.SWF" quality="high" width="1" height="1" allowscriptaccess="sameDomain" type="application/x-shockwave-flash" /> It will be block anyway, sure?

- Depending of the HEIGHT the SWF content is being executed without ask the user permission(Really Weird); Like if it's height="1" it will be blocked, If it is more, it looks like every embedded content larger than 1 pixel is being executed without user permission.

- Local files of the same URL seems to don't need user permission, same for 1 pixel though.

Check this i have sent:

http://yay21sckthisnow0.website.tk/datthingylol0.html (Didn't asked for permission, Same for 1 Pixel). 

External files with 1 pixel are being blocked and asking for users permission. Not only the 1 pixel should have to ask permission, according to the browser settings. 

P.S: The content is only executed when the option ""Ask before allowing sites from executing flash content(Recommended)" Is active. Which demonstrates that there is a failure to execute these files without asking permission before.

------------------------------------------------------

Comment 3 by kerrnel@chromium.org, Feb 28 2017

Cc: waff...@chromium.org
+waffles@ who might know more.

I think it blocks 1 pixel Flash plugins by default as a policy against some invisible Flash plugins. As for it allowing other plugins without permission, can you confirm that you didn't set "Always allow flash content" on those pages? And please check the Flash section in chrome://settings/content

I also think it could be intended policy to allow a flash plugin from the local filesystem to execute automatically, but let's get someone on this bug with a definitive answer.

Comment 4 by kerrnel@chromium.org, Feb 28 2017

Components: Internals>Plugins>Flash

Comment 5 by waff...@chromium.org, Feb 28 2017

Cc: tommycli@chromium.org lafo...@chromium.org

Comment 6 by lafo...@chromium.org, Feb 28 2017 

We have a same origin exception from Tiny (5x5 or below) Flash content.  The exception was meant to be a temporary relief for smaller developers, for features that are well now very supported by the web platform (e.g. clipboard access, audio streams, etc...).

We currently have an experiment running on Canary and Dev w/ the exception removed (1).  The plan is to ship that to stable in ~Chrome 60 timeframe.

(1) - https://www.chromium.org/flash-roadmap#TOC-PPS-Tiny---No-Same-Origin-Exceptions-Target:-Chrome-60---June-2017-

Comment 7 by vakh@chromium.org, Mar 6 2017

Owner: lafo...@chromium.org
laforge@ -- it sounds like this is working as intended. Yes?
Project Member

Comment 8 by sheriffbot@chromium.org, Mar 6 2017

Labels: -Needs-Feedback
Thank you for providing more feedback. Adding requester "kerrnel@chromium.org" to the cc list and removing "Needs-Feedback" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 9 by laforge@google.com, Mar 6 2017

Status: WontFix (was: Unconfirmed)
Yeah, unless I'm missing something this appears to be a working as intended (WontFix).
Project Member

Comment 10 by sheriffbot@chromium.org, Jun 13 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment