New issue
Advanced search Search tips

Issue 768910 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Drag and drop of JavaScript to the URL bar incompletely blocked

Reported by farhankh...@gmail.com, Sep 26 2017

Issue description

while working on google Chrome i found that dragging anything on URL bar will take to You to google search result.But 1 payloads Is executing a Popup alert box vulnerability 

Payloads which i have used during test
javascript:alert(Iframe)
javascript:alert(Math)
javascript:alert(location)
javascript:alert(location.hostname)
javascript:alert(Function)
javascript:alert(hrf=document)
javascript:alert(/www.google.com/);//

Steps to reproduce:
1.go to www.google.com
2 drag payload javascript:alert(/www.google.com/);// in url bar (instead of going for search.browser popup a alert box)
3. i have tried dragging technique with several payloads but all are going for search result But only( javascript:alert(/www.google.com/);//  ) is showing popup box 
i have Uploaded POC of This Vulnerability
 
VERSION
Chrome Version: Version 59.0.3071.115 (Official Build) (64-bit)
Operating System: [Kali Linux Os 64 Bit]



 
chrome.webm
1.6 MB View Download
Components: UI>Browser>Navigation UI>Browser>Omnibox
Labels: OS-Linux
Summary: Security: Drag and drop of JavaScript to the URL bar incompletely blocked (was: Security:)
Cool, thanks for the report!

I can't reproduce this on Windows. Can you try this in the current stable version of Chrome (e.g. 61)?

Your video seems to show the attack working for JavaScript strings other than just the last one? 
Well, this looks mighty suspicious:

https://cs.chromium.org/chromium/src/chrome/browser/ui/views/omnibox/omnibox_view_views.cc?l=1101&rcl=c3119ad1a6b260ed81e74cd0f3308939ca102b21

If the dropped item doesn't have a "URL" type object, then the plaintext is pasted without the required call to StripJavascriptSchemas. I suspect this is a problem on Linux and not Windows because in the windows codepath, the clipboard provider parses the string into a URL but the linux clipboard provider does not.
Labels: Security_Severity-Low Security_Impact-Stable
Status: Untriaged (was: Unconfirmed)
Confirmed in Chrome 62 on Linux. It only reproduces when dropping on the Omnibox; the drop is rejected when dropping onto the tabstrip.

Given the degree of user-interaction required, this should be Sev-Low.

I couldn't reproduce a problem on Mac, Windows, or ChromeOS.
yup...i chacked in latest version Version 62.0.3202.29 and Drag and drop of JavaScript to the URL bar incompletely blocked
Owner: elawrence@chromium.org
Status: Started (was: Untriaged)
https://chromium-review.googlesource.com/c/chromium/src/+/685638
Project Member

Comment 6 by sheriffbot@chromium.org, Sep 27 2017

Labels: Pri-2
Project Member

Comment 7 by bugdroid1@chromium.org, Sep 27 2017

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/16c719e0e275d2ee5d5c69e4962b744bcaf0fe40

commit 16c719e0e275d2ee5d5c69e4962b744bcaf0fe40
Author: Eric Lawrence <elawrence@chromium.org>
Date: Wed Sep 27 16:17:12 2017

Strip JavaScript schemas on Linux text drop

When dropping text onto the Omnibox, any leading JavaScript schemes
should be stripped to avoid a "self-XSS" attack. This stripping already
occurs in all cases except when plaintext is dropped on Linux. This CL
corrects that oversight.

Bug:  768910 
Change-Id: I43af24ace4a13cf61d15a32eb9382dcdd498a062
Reviewed-on: https://chromium-review.googlesource.com/685638
Reviewed-by: Justin Donnelly <jdonnelly@chromium.org>
Commit-Queue: Eric Lawrence <elawrence@chromium.org>
Cr-Commit-Position: refs/heads/master@{#504695}
[modify] https://crrev.com/16c719e0e275d2ee5d5c69e4962b744bcaf0fe40/chrome/browser/ui/views/omnibox/omnibox_view_views.cc

Is it fixed ??
Status: Fixed (was: Started)
The fix for this issue landed in Chrome 63.0.3226.0 which has not yet released to the Linux Dev channel.
Will I get any bounty for that?
Labels: reward-topanel
Generally, Severity-Low issues are not awarded bounties, due to the level of user-interaction required to exploit them. 

https://www.google.com/about/appsecurity/chrome-rewards/index.html

If the panel decides this bug is especially interesting, that may change.

Thanks for helping keep our Linux users safe!

Comment 12 Deleted

Comment 13 Deleted

Project Member

Comment 14 by sheriffbot@chromium.org, Sep 29 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Any update??
Re #15: It's not clear what you're asking. Updates on this issue will be mentioned in this issue. 

The fix for this issue landed in Chrome 63.0.3226.0 which has not yet released to the Linux Dev channel.

Comment 17 Deleted

Ok.I wanted to ask about bug bounty update..will I get bounty or not??
When will top panel decide about bounty ?
The VRP panel meets on a regular schedule and will update this issue with information after a decision is made.
Labels: -reward-topanel M-63 reward-0
Hello farhankhan5260@ - I'm sorry to say that the VRP panel declined to award for this, as we don't define limiting javascript pasting to be a hard security boundary. Still, many thanks for the report, and this will be assigned a CVE when M63 goes stable.
Labels: Release-0-M63
Labels: CVE-2017-15427
Project Member

Comment 23 by sheriffbot@chromium.org, Jan 5 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 24 by sheriffbot@chromium.org, Mar 27 2018

Labels: -M-63 M-65
Labels: CVE_description-missing
Labels: -CVE_description-missing CVE_description-submitted

Sign in to add a comment