New issue
Advanced search Search tips

Issue 844036 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: May 2018
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Os command injection

Reported by ashisha...@gmail.com, May 17 2018 
VULNERABILITY DETAILS
Os Command injection

Issue detail
The q parameter appears to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands and retrieve the output in the application's responses.  The payload |echo f4jqrxxhyb oc51cog4ro||a #' |echo f4jqrxxhyb oc51cog4ro||a #|" |echo f4jqrxxhyb oc51cog4ro||a # was submitted in the q parameter. The application's response appears to contain the output from the injected command, indicating that the command was executed.

Link: https://www.google.com/advanced_search?q=paytm%20bug%20bounty%7cecho%20f4jqrxxhyb%20oc51cog4ro%7c%7ca%20%23%27%20%7cecho%20f4jqrxxhyb%20oc51cog4ro%7c%7ca%20%23%7c%22%20%7cecho%20f4jqrxxhyb%20oc51cog4ro%7c%7ca%20%23&num=100&safe=off&hl=en


Google Chrome 
Version 66.0.3359.181 (Official Build) (64-bit) Stable

Operating System: Windows 10 Enterprise Edition 64 bit

Steps to reproduce:

Step 1: Goto this link https://www.google.com/advanced_search?q=paytm%20bug%20bounty%7cecho%20f4jqrxxhyb%20oc51cog4ro%7c%7ca%20%23%27%20%7cecho%20f4jqrxxhyb%20oc51cog4ro%7c%7ca%20%23%7c%22%20%7cecho%20f4jqrxxhyb%20oc51cog4ro%7c%7ca%20%23&num=100&safe=off&hl=en

Step 2: It executes the os command pipe.
abc.mp4
2.1 MB View Download

Comment 1 by elawrence@chromium.org, May 17 2018 

This issue does not describe a vulnerability in the Chrome web browser. Bugs in other Google sites and services can be reported via the pages at https://www.google.com/about/appsecurity/reward-program/.

At 0:58 in the video, we see what appears to be a successful XSS Attack against the Google.co.in website, but I'm not able to reproduce that using the URL in the report. To eliminate the probability that this is a bug in one of the browser extensions you've installed, I'd recommend re-recording the video using a |Guest| or Incognito browser window without any browser extensions.

I don't see anything that looks remotely like OS command injection in the video.

Comment 2 by elawrence@chromium.org, May 17 2018 

In particular, if you disable the SEOQuake extension[1] and find that it resolves the XSS, please let us know and we can help outreach to the vendor of that extension so they can fix their bug.

[1] https://www.seoquake.com/index.html

Comment 3 by metzman@chromium.org, May 17 2018

Status: WontFix (was: Unconfirmed)
This tracker is for reporting bugs in chromium. Bugs in Google services should be reported here: https://www.google.com/appserve/security-bugs/m2/new

Comment 4 by metzman@chromium.org, May 17 2018 

I'll add to #1 that I would also make sure you aren't proxying your browser through Burp when reproing the XSS.
Project Member

Comment 5 by sheriffbot@chromium.org, Aug 24

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment