Issue metadata
Sign in to add a comment
|
Security: Chrome is missing download protection for svg file type
Reported by
p.upadhy...@gmail.com,
Feb 2 2018
|
||||||||||||||||||||||
Issue descriptionSteps to reproduce: Upload an svg file to attacker control site with javascript in it. Victim downloads the svg file using Chrome browser. Victim chooses to open the file with chrome (if chrome is default browser, OS will show Chrome as a default program) and underlying script in svg file gets executed. I checked the safe browsing- download file types list posted and I don't see any protection for SVG file type. Please let me know in case of any questions.
,
Feb 2 2018
,
Apr 11 2018
I ran the following scenario - This svg file is on my desktop (Windows OS) which is available at C:\Users\<username>\Desktop and line no 2 is pointing to a valid file on my C drive under C://POC/cert.cert. Open this svg file in chrome and it downloads the msi file without even changing the URL to the target installer file. <svg xmlns="http://www.w3.org/2000/svg"> <script>alert(window.location.href="/../../../POC/cert.cert")</script> <script>alert(window.location.href="https://dev.mysql.com/get/Downloads/MySQLInstaller/mysql-installer-community-8.0.3.0-rc.msi")</script> </svg>
,
Apr 11 2018
is this look similar but utilizing other file types? https://wwws.nightwatchcybersecurity.com/2018/02/26/multiple-instances-of-download-protection-bypass-in-googles-chrome/
,
May 12 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Feb 2 2018Labels: Needs-Feedback