New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 800230 link

Starred by 1 user
Status: Fixed
Owner:
treib@chromium.org
Closed: Jan 2018
Cc:
mastiz@chromium.org
fi...@chromium.org
ramyan@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Windows , Chrome , Mac
Pri: 2
Type: Bug-Security


Participants' hotlists:
x..


Sign in to add a comment

XSS on chrome-search://most-visited/title.html (NTP)

Reported by luan.her...@hotmail.com, Jan 9 2018 
VULNERABILITY DETAILS
This is very similar to https://bugs.chromium.org/p/chromium/issues/detail?id=592956 and is also blocked by CSP. It is possible to bypass the filter located in the function fillMostVisited on chrome-search://most-visited/util.js by appending a white space in front of the URL.

if (/^javascript:/i.test(data.url) || /^javascript:/i.test(data.thumbnailUrl))
    return;

VERSION
I tested on:
Version 63.0.3239.108

REPRODUCTION CASE
1. Access chrome-search://most-visited/title.html?url=%20javascript:alert(1)&ti=Hi!%20How%20about%20clicking%20me?
2. Click on the link and check the console.

Comment 1 by dominickn@chromium.org, Jan 9 2018

Cc: fi...@chromium.org
Components: UI>Browser>NewTabPage
Labels: Security_Severity-Low Security_Impact-Stable OS-Chrome OS-Linux OS-Mac OS-Windows
Owner: treib@chromium.org
Status: Assigned (was: Unconfirmed)
Since this is blocked by CSP, I don't think there's a big vulnerability here. Over to the NTP folks to take a look and clarify. :)

Comment 2 by treib@chromium.org, Jan 9 2018 

Agreed, should have no actual impact due to CSP. Still, looks like an easy fix.
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 9 2018

Labels: Pri-2

Comment 4 by treib@chromium.org, Jan 10 2018

Status: Started (was: Assigned)

Comment 5 by treib@chromium.org, Jan 10 2018 

Pending fix here: https://crrev.com/c/859999

Comment 6 by treib@chromium.org, Jan 11 2018

Cc: mastiz@chromium.org
Project Member

Comment 7 by bugdroid1@chromium.org, Jan 11 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b20c3a08beac89adcec1a8d2332697a9ffd9edd3

commit b20c3a08beac89adcec1a8d2332697a9ffd9edd3
Author: Marc Treib <treib@chromium.org>
Date: Thu Jan 11 10:19:49 2018

Fix potential XSS on the Most Visited title iframe

This is basically the equivalent of https://codereview.chromium.org/1775423002
for the multi-iframe version of the NTP tiles.

While we're here, also remove a bunch of code that's no longer used or
needed: The old implementation of MostLikely suggestions, i.e. params.url etc
(these suggestions are now served through the embeddedSearch API), and
impression/click pings (we got rid of those long ago).

Bug:  800230 
Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: Ia31fc22a100730fb6405be9f572718ad78d56f67
Reviewed-on: https://chromium-review.googlesource.com/859999
Commit-Queue: Marc Treib <treib@chromium.org>
Reviewed-by: Mikel Astiz <mastiz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#528591}
[modify] https://crrev.com/b20c3a08beac89adcec1a8d2332697a9ffd9edd3/chrome/browser/resources/local_ntp/most_visited_util.js

Comment 8 by treib@chromium.org, Jan 11 2018

Status: Fixed (was: Started)
Project Member

Comment 9 by sheriffbot@chromium.org, Jan 11 2018

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 10 by awhalley@google.com, Feb 6 2018

Labels: reward-topanel

Comment 11 by awhalley@google.com, Feb 9 2018 

I'm afraid the VRP panel declined to reward for this - but many thanks for the report!

Comment 12 by awhalley@google.com, Feb 14 2018

Labels: -reward-topanel reward-0
Project Member

Comment 13 by sheriffbot@chromium.org, Apr 19 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment