New issue
Advanced search Search tips

Issue 700796 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Mar 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug



Sign in to add a comment

weird behavior of chrome browser on particular script

Reported by pvishal...@gmail.com, Mar 13 2017 
VULNERABILITY DETAILS
hi google team,
Steps to reproduce:

i created a html page. 
<html>

<head>
    <script>
        function onLoadFunction() {
            document.data.submit();
        }
    </script>
</head>

<body onLoad="onLoadFunction()">
    <form name="data" method="POST" action="test">
    <input type="hidden" name="MD" value="test">">
    <input type="hidden" name="PaRes" value="eJxVj0sLwjAQhP/KkruNiqCFbURsqwcF8XHwWM2qgTahSX39e6tNFS8LyzczO4vjR5HDjaxTRkesF3QZkD4aqfQ5Yrtt2hmxscDtxRLFGzpeLQlcknPZmUDJiMVhXsp7lvb2w/lkFg6m6/ViWSYpE5hYa6xAHy7q7KCPvF2R3nhqJIkwRP7bGuBviBXZItOkK3BPV1EBp0zldYvAW1pd44qpqrFI60ESKgOHq8olfBgUjbR1ei1y35N/o/jfuy9UbWWC"></form>
</body>

</html>

Write this script in notepad++ and save as a .html and open with Chrome.

Actual results:

when i opened same html file in internet explorer (IE11) it's giving correct file and i am able to see view source code as well. 
but same thing i am unable to see in chrome and its redirect to some other path. 

VERSION
Chrome Version: latest version
Operating System: windows 7

REPRODUCTION CASE
Example:
if you create a file named as a test.html(whatever name as u wish) and copy that above content. then open in IE11 (path will be c://users/vishal/test.html)

but in Chrome (path is c://users/vishal/test) its redirect to one of value of parameter i mentioned in that html file. and not to particular html file.

so result is coming as a no file found.

Please find attached file for clear information about this bug.
IE.JPG
41.2 KB View Download
chrome.JPG
34.6 KB View Download

Comment 1 by elawrence@chromium.org, Mar 13 2017

Components: Blink>Forms
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Status: WontFix (was: Unconfirmed)
Summary: weird behavior of chrome browser on particular script (was: Security: weird behavior of chrome browser on particular script)
The behavior in the Chrome screenshot is exactly as I'd expect it to be. You have an HTML page that, upon load, attempts to post a web form to the a file in the same folder named "test". (Notably, there's no way to POST to URLs hosted on your local filesystem, but that's not relevent here). 

Chrome attempts to load the file named "test" (with no filename extension) in the same folder and it fails to do so because no such file exists. If you created such a file, it loads just fine.

Comment 2 by elawrence@chromium.org, Mar 13 2017 

As for why you're seeing different behavior in IE vs Chrome, you have the following line:

 <input type="hidden" name="MD" value="test">">

That trailing "> on the end of the line is malformed and thus treated as plaintext, and that's what you see inside the IE screenshot. 

The reason that IE doesn't attempt to submit the form is because IE does not run script in local files by default; see https://blogs.msdn.microsoft.com/ieinternals/2011/03/23/understanding-local-machine-zone-lockdown/

Sign in to add a comment