New issue
Advanced search Search tips

Issue 808355 link

Starred by 3 users
Status: Duplicate
Merged: issue 445758
Owner: ----
Closed: Feb 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: JavaScript in PDF can navigate browser

Reported by sachinrm...@gmail.com, Feb 2 2018 
              Unvalidated redirect using Cross-site scripting 

PDF with javascript code executable on startup will be executed in chrome browser once the PDF is opened in chrome. Chrome browser allows to execute the scripts embedded in the PDF documents. For  the purpose of PoC  i have embedded a script in PDF ,which will redirect user to the intended website. If a  malicious JavaScript is injected it will get executed on loading the PDF. Hence chrome is vulnerable to  Cross site scripting  and this vulnerability is exploited in PoC to redirect user on intended web address. 

Behaviour of other browsers on opening the same PDF(from PoC):

	1. Chrome (Version 63.0.3239.132 (Official Build) (64-bit))
	2. Mozilla (57.0.4)  - Not redirected
	3. Microsoft Edge 40.15063.674.0 - Not redirected 

OS:  Windows 10  Intel Corei7 64bit


Affects:
   All the chrome browser users. 
   


Steps to reproduce the issue:

	1. Open the attached pdf in chrome browser and it will redirect user to a website (http://footmark.infoedge.com in my case)
ChromeRedirection PoC.pdf
128 KB Download

Comment 1 by sachinrm...@gmail.com, Feb 2 2018 

Example exploitation scenario would be:
1. Adding a malicious script to the PDF which executes on load.
2. Send a file  to the victim through office365 email.
3. Once user previews/ open the PDF in chrome browser the script will get executed.

Comment 2 by elawrence@chromium.org, Feb 2 2018

Components: Internals>Plugins>PDF
Mergedinto: 445758
Status: Duplicate (was: Unconfirmed)
Summary: Security: JavaScript in PDF can navigate browser (was: Security: Crosssite Scripting XSS + Unvalidated redirect.)
This is working as expected; PDF is an active file type.

Comment 3 by sachinrm...@gmail.com, Feb 2 2018 

"PDF is an active file type." 
 Yes, it is !! but using that user can be redirected to malicious site. Try opening the same with other browsers & Adobe reader. Eithrt they will have a  popup for permission or simply they will not redirect.
This is similar to a script embedded in a Jpeg.
Project Member

Comment 4 by sheriffbot@chromium.org, May 11 2018

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by x...@evernote.com, Oct 12 

I don't understand how this could be closed as "By Design". Shall we say HTML is an "active file type" so any cross site scripting reported on HTML pages to be "By Design"?

Comment 6 by thestig@chromium.org, Oct 12 

re: comment 5 - this bug has been marked as a duplicate of  bug 445758 . Is the discussion there helpful?

Comment 7 by x...@evernote.com, Oct 12 

Not really. It is marked as "wont fix" in that thread and the same claim as "active file type" for PDF.

Comment 8 by thestig@chromium.org, Oct 13 

Well, we made a fix for  bug 851821 , so the POC in this bug no longer works on Dev Channel. So there's that.

Sign in to add a comment