New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 91218 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Aug 2011
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 0
Type: Bug-Security

Restricted
  • Only users with Commit permission may comment.



Sign in to add a comment

XSS in chrome://appcache-internals

Project Member Reported by tsepez@chromium.org, Aug 1 2011

Issue description

There is an XSS hole in the chrome://appcache-internals page due to incorrect escaping of user input prior to display.

VULNERABILITY DETAILS
The vulnerability is possible when a known application has been installed, the example shown here is specific to "angry birds", but there is a corresponding vector for any app which is consistent across all installations of the app.

VERSION
Chrome Version: [14.0.835] + [beta]
Operating System: presumably all, tested on linux 64 

This was likely introduced at r92263.

REPRODUCTION CASE
- Install angry birds from the app store.
- lanuch angry birds
- In a new tab, type into the location bar:

chrome://appcache-internals/?view-cache=aHR0cDovL2Nocm9tZS5hbmdyeWJpcmRzLmNvbS9tYW5pZmVzdC9mb3dsLm1hbmlmZXN0# onmouseover=alert(0)//

- page source contains:

<a href=chrome://appcache-internals/?view-entry=aHR0cDovL2Nocm9tZS5hbmdyeWJpcmRzLmNvbS9tYW5pZmVzdC9mb3dsLm1hbmlmZXN0|aHR0cDovL2Nocm9tZS5hbmdyeWJpcmRzLmNvbS8=|1409# onmouseover=alert(0)//>

mousing over links triggers JS execution.

 
Cc: abarth@chromium.org michaeln@chromium.org
Owner: tsepez@chromium.org
I'll take this one as part of the CSP changes for chrome:// pages.
Status: Started
Another variation on the same idea -- tunnelling javascript:-URL through base64 decode:

chrome://appcache-internals/?view-entry=aHR0cDovL2Nocm9tZS5hbmdyeWJpcmRzLmNvbS9tYW5pZmVzdC9mb3dsLm1hbmlmZXN0|amF2YXNjcmlwdDphbGVydCgwKQ==|1331

CSP will catch this one, otherwise need to restrict to https?:// style urls.
Labels: SecSeverity-Low
Seems like low severity to me; let me know if you disagree Tom!
Status: Fixed
Low severity seems reasonable.
Fixed at http://src.chromium.org/viewvc/chrome?view=rev&revision=95093


Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Status: FixUnreleased
Thanks for the fix. We'll put in a nod in our Chrome 15 release notes, then.
 Issue 91522  has been merged into this issue.
Thnx for fixing this!

Now that these pages can't run script at all... i feel more secure already :)
Labels: SecImpacts-Stable
Batch update.
Labels: CVE-2011-3877

Comment 11 by cdn@chromium.org, May 15 2012

Status: Fixed
Marking old security bugs Fixed..
Project Member

Comment 12 by bugdroid1@chromium.org, Oct 13 2012

Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member

Comment 13 by bugdroid1@chromium.org, Mar 10 2013

Labels: -Type-Security -SecSeverity-Low -SecImpacts-Stable Security-Severity-Low Security-Impact-Stable Type-Bug-Security
Project Member

Comment 14 by bugdroid1@chromium.org, Mar 11 2013

Labels: -Area-Undefined
Project Member

Comment 15 by bugdroid1@chromium.org, Mar 13 2013

Labels: Restrict-View-EditIssue
Labels: -Restrict-View-SecurityNotify -Restrict-View-EditIssue
Project Member

Comment 17 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Severity-Low Security_Severity-Low
Project Member

Comment 18 by bugdroid1@chromium.org, Mar 21 2013

Labels: -Security-Impact-Stable Security_Impact-Stable
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment