Issue metadata
Sign in to add a comment
|
Security: Chrome iOS preview document popup
Reported by
xiaopig...@gmail.com,
Nov 25 2017
|
||||||||||||||||||||
Issue descriptionSteps to reproduce: 1.Install iOS Chrome version, download from app store 2.Then you need to have a test.pptx or test.rtf file ready, a hyperlink written after the test text, a javascript: alert (1) hyperlink, and then on iOS Chrome http://xxxx.com/ test.pptx 3.I am here to provide a test.pptx I am ready. http://xiaopigfly.com/test.pptx Just click test to trigger Browser/OS: 62.0.3202.70 Attack scenario: You can use it for fishing and more. A bit similar to cve-2016-7762
,
Nov 25 2017
This is poc, only need to join the hyperlink to write javascript: alert () just fine
,
Nov 25 2017
Thank you for providing more feedback. Adding requester "elawrence@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 25 2017
I can reproduce script execution by clicking on the link in the file. This doesn't seem to be interesting from an end-user security POV-- it's generally expected behavior that clicking on a link within a document loaded in the browser may result in the execution of script inside the browser's sandbox. If you update your http://xiaopigfly.com/test.pptx POC file to replace alert(1) with alert(document.domain) , what domain is shown in the alert? If it's "xiaopigfly.com", then this becomes mildly interesting insofar as it means that some websites may be vulnerable to "Stored XSS" attacks because the site owner does not expect that serving an untrusted PPTX file will allow script execution from their domain serving the untrusted PPTX.
,
Nov 26 2017
xiaopigfly@gmail.com, could you reply to elawrence@'s question in #4? Sorry, I don't have an iOS device to repro.
,
Nov 26 2017
hi,jialiul@chromium.org and elawrence@chromium.org Now that I have updated pptx, visit the address: http://xiaopigfly.com/poc.pptx 。
,
Nov 26 2017
Thank you for providing more feedback. Adding requester "jialiul@chromium.org" to the cc list and removing "Needs-Feedback" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 26 2017
Thanks xiaopigfly@! elawrence@, what do you think? I feel there's very little can be improved here.
,
Nov 26 2017
The empty string here suggests that the code is running in an anonymous origin rather than in the origin of the hosting website. This suggests that this was intentionally mitigated and that this isn't a vector for stored XSS. (It may be worthwhile to have an iOS dev familiar with this area take a look to confirm that there's nothing of interest here-- I was not previously aware that Chrome on iOS was able to preview documents in this manner. Presumably this is something that the underlying WkWebView provides?)
,
Nov 26 2017
In iOS11 Safari, the script also executes, but shows a GUID for the document.domain value, also strongly suggesting that webkit is pushing the preview into an anonymous origin.
,
Nov 27 2017
Thanks elawrence! per #9 and #10, I'll mark this as Won't fix (work as intended.)
,
Mar 5 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Nov 25 2017