68281 2011-09-16 14:47:06 -0700 xssauditor - bypass with unterminated closing script tag 2011-09-19 11:58:31 -0700 1 1 1 Unclassified WebKit WebKit Misc. 528+ (Nightly build) All All RESOLVED FIXED P2 Minor --- 66579 1 tsepez tsepez abarth webkit.review.bot oldest_to_newest 468821 0 tsepez 2011-09-16 14:47:06 -0700 Upstreamed from http://code.google.com/p/chromium/issues/detail?id=96845 Reported by nikifora...@gmail.com, Today (5 hours ago) VULNERABILITY DETAILS It is possible to bypass Google Chrome's Anti-XSS filtering mechanism through the use of a specially crafted parameter. The parameter, which is initially not valid JavaScript, passes through the filter and then gets 'corrected' by Chrome, turning it into valid JavaScript. Please do not confuse with the other bypass that needs two parameters (http://code.google.com/p/chromium/issues/detail?id=96616). REPRODUCTION CASE E.g. http://securitee.org/files/chrome_xss_again.php?a=<script id=<script>alert(1)</script In the above case, there is no closing ">" after the value of the id and no closing ">" at the script closing tag, making the whole thing invalid. However, Chrome will happily turn this internally into: http://securitee.org/files/chrome_xss_again.php?a=<script id="<script">alert(1)</script> Reduction: http://securitee.org/files/chrome_xss_again.php?a=%3Cscript%3Ealert(1)%3C/script 469525 1 107887 tsepez 2011-09-19 10:58:16 -0700 Created attachment 107887 Patch to set end location of token before additional buffering takes place. 469540 2 107887 abarth 2011-09-19 11:07:25 -0700 Comment on attachment 107887 Patch to set end location of token before additional buffering takes place. View in context: https://bugs.webkit.org/attachment.cgi?id=107887&action=review > Source/WebCore/html/parser/HTMLTokenizer.cpp:305 > - if (cc == '<') > + if (cc == '<') { > + // Token might end here. If not, we'll come through here again > + // and update the end location again. > + m_token->end(source.numberOfCharactersConsumed()); > HTML_ADVANCE_TO(ScriptDataLessThanSignState); > + } Interesting. We have this same problem for CDATA and RCDATA. For example, the <title> and the <style> tags. It would be good to apply this kind of fix in those cases too, maybe in a follow-up patch. This patch feels a little bit like a hack because we're only doing this in one case, but I do agree that this patch is moving us in the right direction because the tokenizer should be setting the end marker for the token. 469585 3 107887 webkit.review.bot 2011-09-19 11:58:27 -0700 Comment on attachment 107887 Patch to set end location of token before additional buffering takes place. Clearing flags on attachment: 107887 Committed r95451: <http://trac.webkit.org/changeset/95451> 469586 4 webkit.review.bot 2011-09-19 11:58:31 -0700 All reviewed patches have been landed. Closing bug. 107887 2011-09-19 10:58:16 -0700 2011-09-19 11:58:27 -0700 Patch to set end location of token before additional buffering takes place. patch_68281.txt text/plain 5951 tsepez SW5kZXg6IFNvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2Vi Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDk1NDM5KQorKysgU291cmNlL1dlYkNvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMjEgQEAKKzIwMTEtMDktMTkgIFRvbSBTZXBl eiAgPHRzZXBlekBjaHJvbWl1bS5vcmc+CisKKyAgICAgICAgRml4IHhzc2F1ZGl0b3IgYnlwYXNz IHdpdGggdW50ZXJtaW5hdGVkIGNsb3NpbmcgdGFnIGJ5IG1ha2luZyB0aGUgSFRNTFNvdXJjZVRy YWNrZXIKKyAgICAgICAgYW5kIHRoZSBIVE1MUGFyc2VyIGludGVyYWN0IG1vcmUgY2xvc2VseSB3 aXRoIGVhY2ggb3RoZXIuICBIVE1MUGFyc2VyIHNob3VsZCBiZQorICAgICAgICBzZXR0aW5nIHRo ZSBlbmQgcmFuZ2UgZm9yIHRoZSB0b2tlbiBpdHNlbGYgdG8gYWNjb3VudCBmb3IgYnVmZmVyaW5n IHRoYXQgdGhlCisgICAgICAgIEhUTUxTb3VyY2VUcmFja2VyIGNhbid0IGtub3cgYWJvdXQsIGJ1 dCB0aGVyZSBhcmUgYSBsb3Qgb2YgcGF0aHMgdGhhdCB3b3VsZCBuZWVkCisgICAgICAgIHVwZGF0 aW5nLiBGaXJzdCBzdGVwIGlzIHRvIGNvdmVyIHRoaXMgb25lIHBhdGguCisgICAgICAgIGh0dHBz Oi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD02ODI4MQorCisgICAgICAgIFJldmll d2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIFRlc3Q6IGh0dHAvdGVzdHMvc2VjdXJp dHkveHNzQXVkaXRvci9zY3JpcHQtdGFnLXdpdGgtaW52YWxpZC1jbG9zaW5nLXRhZy5odG1sCisK KyAgICAgICAgKiBodG1sL3BhcnNlci9IVE1MU291cmNlVHJhY2tlci5jcHA6CisgICAgICAgIChX ZWJDb3JlOjpIVE1MU291cmNlVHJhY2tlcjo6ZW5kKToKKyAgICAgICAgKiBodG1sL3BhcnNlci9I VE1MVG9rZW5pemVyLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OkhUTUxUb2tlbml6ZXI6Om5leHRU b2tlbik6CisKIDIwMTEtMDktMTkgIExlYW5kcm8gUGVyZWlyYSAgPGxlYW5kcm9AcHJvZnVzaW9u Lm1vYmk+CiAKICAgICAgICAgVW5yZXZpZXdlZDogU2Nyb2xsYmFyVGhlbWVNb2NrLmNwcCBpcyBh bHJlYWR5IHJlZmVyZW5jZWQgaW4gdGhlCkluZGV4OiBTb3VyY2UvV2ViQ29yZS9odG1sL3BhcnNl ci9IVE1MU291cmNlVHJhY2tlci5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL1dlYkNvcmUvaHRt bC9wYXJzZXIvSFRNTFNvdXJjZVRyYWNrZXIuY3BwCShyZXZpc2lvbiA5NTQyNikKKysrIFNvdXJj ZS9XZWJDb3JlL2h0bWwvcGFyc2VyL0hUTUxTb3VyY2VUcmFja2VyLmNwcAkod29ya2luZyBjb3B5 KQpAQCAtNDMsOCArNDMsMTIgQEAgdm9pZCBIVE1MU291cmNlVHJhY2tlcjo6c3RhcnQoY29uc3Qg SFRNTAogdm9pZCBIVE1MU291cmNlVHJhY2tlcjo6ZW5kKGNvbnN0IEhUTUxJbnB1dFN0cmVhbSYg aW5wdXQsIEhUTUxUb2tlbiYgdG9rZW4pCiB7CiAgICAgbV9jYWNoZWRTb3VyY2VGb3JUb2tlbiA9 IFN0cmluZygpOwotICAgIC8vIEZJWE1FOiBUaGlzIHdvcmsgc2hvdWxkIHJlYWxseSBiZSBkb25l IGJ5IHRoZSBIVE1MVG9rZW5pemVyLgotICAgIHRva2VuLmVuZChpbnB1dC5jdXJyZW50KCkubnVt YmVyT2ZDaGFyYWN0ZXJzQ29uc3VtZWQoKSk7CisKKyAgICAvLyBGSVhNRTogVGhpcyB3b3JrIHNo b3VsZCByZWFsbHkgYmUgZG9uZSBieSB0aGUgSFRNTFRva2VuaXplciBpbiBhbGwgY2FzZXMsCisg ICAgLy8gaW5zdGVhZCBvZiB0aGUgZmV3IGNhc2VzIHdoZXJlIGl0IGV4cGxpY2l0bHkgc3RlcHMg aW4gdG8gY29ycmVjdCB2YWx1ZXMKKyAgICAvLyBrbm93biB0byBiZSB3cm9uZyBpbiBmYWNlIG9m IGl0cyBpbnRlcm5hbCBidWZmZXJpbmcuCisgICAgaWYgKCF0b2tlbi5lbmRJbmRleCgpKQorICAg ICAgICB0b2tlbi5lbmQoaW5wdXQuY3VycmVudCgpLm51bWJlck9mQ2hhcmFjdGVyc0NvbnN1bWVk KCkpOwogfQogCiBTdHJpbmcgSFRNTFNvdXJjZVRyYWNrZXI6OnNvdXJjZUZvclRva2VuKGNvbnN0 IEhUTUxUb2tlbiYgdG9rZW4pCkluZGV4OiBTb3VyY2UvV2ViQ29yZS9odG1sL3BhcnNlci9IVE1M VG9rZW5pemVyLmNwcAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvV2ViQ29yZS9odG1sL3BhcnNlci9I VE1MVG9rZW5pemVyLmNwcAkocmV2aXNpb24gOTU0MjYpCisrKyBTb3VyY2UvV2ViQ29yZS9odG1s L3BhcnNlci9IVE1MVG9rZW5pemVyLmNwcAkod29ya2luZyBjb3B5KQpAQCAtMjk3LDggKzI5Nywx MiBAQCBib29sIEhUTUxUb2tlbml6ZXI6Om5leHRUb2tlbihTZWdtZW50ZWRTCiAgICAgRU5EX1NU QVRFKCkKIAogICAgIEhUTUxfQkVHSU5fU1RBVEUoU2NyaXB0RGF0YVN0YXRlKSB7Ci0gICAgICAg IGlmIChjYyA9PSAnPCcpCisgICAgICAgIGlmIChjYyA9PSAnPCcpIHsKKyAgICAgICAgICAgIC8v IFRva2VuIG1pZ2h0IGVuZCBoZXJlLiBJZiBub3QsIHdlJ2xsIGNvbWUgdGhyb3VnaCBoZXJlIGFn YWluCisgICAgICAgICAgICAvLyBhbmQgdXBkYXRlIHRoZSBlbmQgbG9jYXRpb24gYWdhaW4uCisg ICAgICAgICAgICBtX3Rva2VuLT5lbmQoc291cmNlLm51bWJlck9mQ2hhcmFjdGVyc0NvbnN1bWVk KCkpOwogICAgICAgICAgICAgSFRNTF9BRFZBTkNFX1RPKFNjcmlwdERhdGFMZXNzVGhhblNpZ25T dGF0ZSk7CisgICAgICAgIH0KICAgICAgICAgZWxzZSBpZiAoY2MgPT0gSW5wdXRTdHJlYW1QcmVw cm9jZXNzb3I6OmVuZE9mRmlsZU1hcmtlcikKICAgICAgICAgICAgIHJldHVybiBlbWl0RW5kT2ZG aWxlKHNvdXJjZSk7CiAgICAgICAgIGVsc2UgewpJbmRleDogTGF5b3V0VGVzdHMvQ2hhbmdlTG9n Cj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL0NoYW5nZUxvZwkocmV2aXNpb24gOTU0MzkpCisr KyBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHdvcmtpbmcgY29weSkKQEAgLTEsMyArMSwxOCBAQAor MjAxMS0wOS0xOSAgVG9tIFNlcGV6ICA8dHNlcGV6QGNocm9taXVtLm9yZz4KKworICAgICAgICBG aXggeHNzYXVkaXRvciBieXBhc3Mgd2l0aCB1bnRlcm1pbmF0ZWQgY2xvc2luZyB0YWcgYnkgbWFr aW5nIHRoZSBIVE1MU291cmNlVHJhY2tlcgorICAgICAgICBhbmQgdGhlIEhUTUxQYXJzZXIgaW50 ZXJhY3QgbW9yZSBjbG9zZWx5IHdpdGggZWFjaCBvdGhlci4gIEhUTUxQYXJzZXIgc2hvdWxkIGJl CisgICAgICAgIHNldHRpbmcgdGhlIGVuZCByYW5nZSBmb3IgdGhlIHRva2VuIGl0c2VsZiB0byBh Y2NvdW50IGZvciBidWZmZXJpbmcgdGhhdCB0aGUKKyAgICAgICAgSFRNTFNvdXJjZVRyYWNrZXIg Y2FuJ3Qga25vdyBhYm91dCwgYnV0IHRoZXJlIGFyZSBhIGxvdCBvZiBwYXRocyB0aGF0IHdvdWxk IG5lZWQKKyAgICAgICAgdXBkYXRpbmcuIEZpcnN0IHN0ZXAgaXMgdG8gY292ZXIgdGhpcyBvbmUg cGF0aC4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTY4 MjgxCisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgKiBo dHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3IvcmVzb3VyY2VzL2VjaG8taW50ZXJ0YWcucGw6 CisgICAgICAgICogaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0 aC1pbnZhbGlkLWNsb3NpbmctdGFnLWV4cGVjdGVkLnR4dDogQWRkZWQuCisgICAgICAgICogaHR0 cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0aC1pbnZhbGlkLWNsb3Np bmctdGFnLmh0bWw6IEFkZGVkLgorCiAyMDExLTA5LTE5ICBEbWl0cnkgTG9tb3YgIDxkc2xvbW92 QGdvb2dsZS5jb20+CiAKIAlbQ2hyb21pdW1dIFJlYmFzZWxpbmUgZXhwZWN0YXRpb25zIGR1ZSB0 byByOTU0MDIuCkluZGV4OiBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0 b3Ivc2NyaXB0LXRhZy13aXRoLWludmFsaWQtY2xvc2luZy10YWctZXhwZWN0ZWQudHh0Cj09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT0KLS0tIExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9zY3Jp cHQtdGFnLXdpdGgtaW52YWxpZC1jbG9zaW5nLXRhZy1leHBlY3RlZC50eHQJKHJldmlzaW9uIDAp CisrKyBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRh Zy13aXRoLWludmFsaWQtY2xvc2luZy10YWctZXhwZWN0ZWQudHh0CShyZXZpc2lvbiAwKQpAQCAt MCwwICsxLDMgQEAKK0NPTlNPTEUgTUVTU0FHRTogbGluZSAxOiBSZWZ1c2VkIHRvIGV4ZWN1dGUg YSBKYXZhU2NyaXB0IHNjcmlwdC4gU291cmNlIGNvZGUgb2Ygc2NyaXB0IGZvdW5kIHdpdGhpbiBy ZXF1ZXN0LgorCisKSW5kZXg6IExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVk aXRvci9zY3JpcHQtdGFnLXdpdGgtaW52YWxpZC1jbG9zaW5nLXRhZy5odG1sCj09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0K LS0tIExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9zY3JpcHQtdGFn LXdpdGgtaW52YWxpZC1jbG9zaW5nLXRhZy5odG1sCShyZXZpc2lvbiAwKQorKysgTGF5b3V0VGVz dHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctd2l0aC1pbnZhbGlk LWNsb3NpbmctdGFnLmh0bWwJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsMTUgQEAKKzwhRE9DVFlQ RSBodG1sPgorPGh0bWw+Cis8aGVhZD4KKzxzY3JpcHQ+CitpZiAod2luZG93LmxheW91dFRlc3RD b250cm9sbGVyKSB7CisgIGxheW91dFRlc3RDb250cm9sbGVyLmR1bXBBc1RleHQoKTsKKyAgbGF5 b3V0VGVzdENvbnRyb2xsZXIuc2V0WFNTQXVkaXRvckVuYWJsZWQodHJ1ZSk7Cit9Cis8L3Njcmlw dD4KKzwvaGVhZD4KKzxib2R5PgorPGlmcmFtZSBzcmM9Imh0dHA6Ly9sb2NhbGhvc3Q6ODAwMC9z ZWN1cml0eS94c3NBdWRpdG9yL3Jlc291cmNlcy9lY2hvLWludGVydGFnLnBsP2NsdXR0ZXI9JTIw PGk+PGI+JnE9PHNjcmlwdD5hbGVydChTdHJpbmcuZnJvbUNoYXJDb2RlKDB4NTgsMHg1MywweDUz KSk8L3NjcmlwdCI+Cis8L2lmcmFtZT4KKzwvYm9keT4KKzwvaHRtbD4KSW5kZXg6IExheW91dFRl c3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9yZXNvdXJjZXMvZWNoby1pbnRlcnRh Zy5wbAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09Ci0tLSBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1 ZGl0b3IvcmVzb3VyY2VzL2VjaG8taW50ZXJ0YWcucGwJKHJldmlzaW9uIDk1NDI2KQorKysgTGF5 b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3Jlc291cmNlcy9lY2hvLWlu dGVydGFnLnBsCSh3b3JraW5nIGNvcHkpCkBAIC0zMiw2ICszMiw5IEBAIGlmICgkY2dpLT5wYXJh bSgncmVsYXktdGFyZ2V0LWlkcy1mb3ItZXYKIH0KIHByaW50ICI8Ym9keT5cbiI7CiBwcmludCAk Y2dpLT5wYXJhbSgncScpOworaWYgKCRjZ2ktPnBhcmFtKCdjbHV0dGVyJykpIHsKKyAgICBwcmlu dCAkY2dpLT5wYXJhbSgnY2x1dHRlcicpOworfQogaWYgKCRjZ2ktPnBhcmFtKCdub3RpZnlEb25l JykpIHsKICAgICBwcmludCAiPHNjcmlwdD5cbiI7CiAgICAgcHJpbnQgImlmICh3aW5kb3cubGF5 b3V0VGVzdENvbnRyb2xsZXIpXG4iOwo=