Home
Latest images
Search
Register
Log inGoogle Chrome Frame null domain XSS
Page 1 of 1
Google Chrome Frame null domain XSS
andry Mon Sep 27, 2010 6:26 am
#####################################
Google Chrome Frame null domain XSS
vendor url:http://www.google.com/chromeframe
vendor changelog:http://googlechromereleases.blogspot.com/2009/11/google-chrome-frame-update-bug-fixes.html
Vendor notify:yes Exploit available:YES
######################################
######################
Description by vendor
######################
Google Chrome Frame is a free plug-in for Internet Explorer.
Some advanced web apps, like Google Wave, use Google Chrome
Frame to provide you with additional features and better performance.
Google Chrome Frame is an early-stage open source
plug-in that seamlessly brings Google Chrome's open
web technologies and speedy JavaScript engine to
Internet Explorer.
################
version Afected
################
4.0.223.9 (Official Build 29618)
WebKit: 532.3
V8: 1.3.16
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/532.3 (KHTML, like Gecko) Chrome/4.0.223.9 Safari/532.3
Not afected version:
4.0.245.1 (Official Build 31970)
WebKit: 532.5
V8: 1.3.18.6
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.245.1 Safari/532.5
you can find aditional information here:
http://googlechromereleases.blogspot.com/
2009/11/google-chrome-frame-update-bug-fixes.html
#####################
Cross Site scripting
#####################
Create a html document and some to test =>
<iframe src="javascript:alert(1)></iframe>
=> this opens the iframe and execute the alert
( this is correct)
<iframe src="cf:javascript:alert(1)></iframe>
this does not work , not show the alert ( correct)
and here is the flaw =>
<iframe src="cf:view-source:javascript:alert(1)></iframe>
This show & executed the alert it works on local & remote
scenario or via address bar too.
This bypassed cross-origin protections !!!
For google chrome browser test this
at the address bar =>
view-source:javascript:alert(1)
this execute the alert but recently google has made changes
in about:blank page and this issue is only exploitable
via address bar ,not in a iframe or frame or html document
so for that i think that this issue isn´t exploitable in a
remote scenario.
###########
crashes
###########
cf:view-source:about@: crash
cf:about@: => crashing the tab
##########
Solution
############
Google has automatic release a new version
of Chrome Frame 4.0.245.1 (Official Build 31970)
and this version is not afected.
#################€nd#############
Google Chrome Frame null domain XSS
vendor url:http://www.google.com/chromeframe
vendor changelog:http://googlechromereleases.blogspot.com/2009/11/google-chrome-frame-update-bug-fixes.html
Vendor notify:yes Exploit available:YES
######################################
######################
Description by vendor
######################
Google Chrome Frame is a free plug-in for Internet Explorer.
Some advanced web apps, like Google Wave, use Google Chrome
Frame to provide you with additional features and better performance.
Google Chrome Frame is an early-stage open source
plug-in that seamlessly brings Google Chrome's open
web technologies and speedy JavaScript engine to
Internet Explorer.
################
version Afected
################
4.0.223.9 (Official Build 29618)
WebKit: 532.3
V8: 1.3.16
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/532.3 (KHTML, like Gecko) Chrome/4.0.223.9 Safari/532.3
Not afected version:
4.0.245.1 (Official Build 31970)
WebKit: 532.5
V8: 1.3.18.6
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.245.1 Safari/532.5
you can find aditional information here:
http://googlechromereleases.blogspot.com/
2009/11/google-chrome-frame-update-bug-fixes.html
#####################
Cross Site scripting
#####################
Create a html document and some to test =>
<iframe src="javascript:alert(1)></iframe>
=> this opens the iframe and execute the alert
( this is correct)
<iframe src="cf:javascript:alert(1)></iframe>
this does not work , not show the alert ( correct)
and here is the flaw =>
<iframe src="cf:view-source:javascript:alert(1)></iframe>
This show & executed the alert it works on local & remote
scenario or via address bar too.
This bypassed cross-origin protections !!!
For google chrome browser test this
at the address bar =>
view-source:javascript:alert(1)
this execute the alert but recently google has made changes
in about:blank page and this issue is only exploitable
via address bar ,not in a iframe or frame or html document
so for that i think that this issue isn´t exploitable in a
remote scenario.
###########
crashes
###########
cf:view-source:about@: crash
cf:about@: => crashing the tab
##########
Solution
############
Google has automatic release a new version
of Chrome Frame 4.0.245.1 (Official Build 31970)
and this version is not afected.
#################€nd#############
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics» Google Chrome and Chrome frame Prompt DoS
» Notifier for Google Wave Chrome extension XSS/CSRF
» A little about Google Chrome OS
» Google Chrome close() issue
» Translating Web Sites Is Easy With Google Chrome
» Notifier for Google Wave Chrome extension XSS/CSRF
» A little about Google Chrome OS
» Google Chrome close() issue
» Translating Web Sites Is Easy With Google Chrome
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|