Issue metadata
Sign in to add a comment
|
Stored XSS vulnerability in Google Earth via KML file
Reported by
alialavi...@gmail.com,
Nov 27 2017
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0 Steps to reproduce the problem: 1.open this url https://earth.google.com/web/ 2.now enable kml file 3.now i upload malicious kml file have a iframe tag for download file and call deface page and href link for click Browser/OS: chrome Attack scenario: hi every hacker can exploit https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet ==> iframe , href, etc, downloader What is the expected behavior? danger What went wrong? you must disable iframe and scripting Did this work before? N/A Chrome version: <Copy from: 'about:version'> Channel: n/a OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 26.0 r0 this is very dangerous because attacker can download file with execute ifrme for victim through google
,
Nov 27 2017
Thanks for reporting! Mark as Won'tFix since it is not a Chrome/Chromium bug. And please report this issue via https://sites.google.com/site/bughunteruniversity/improve instead.
,
Mar 6 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Nov 27 2017Summary: Stored XSS vulnerability in Google Earth via KML file (was: google earth have cross site scripting +run iframe and etc)