Closed
Bug 813868
Opened 12 years ago
Closed 12 years ago
canvas getImageData opens security whole for code
Categories
(Core :: General, defect)
Core
General
Tracking
()
RESOLVED
INVALID
People
(Reporter: bertram, Unassigned)
Details
Attachments
(1 file)
716 bytes,
application/octet-stream
|
Details |
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0 Build ID: 20121025210744 Steps to reproduce: With the canvas it is possible to read byte data out of an image. Images himself can come from different urls (hosts) without restriction. What happens when someone fill an image with code values as pixel data, load the image into an canvas and interpret it? He could execute code without any knowledge of any security prevention because the "code" are an image. What I've done is simple: 1. create an image where the pixel are the color representation of window['alert']('xss') this could be an gif, png... It depends of the color interpolation in the resulting image. 2. load the image into a web side 3. create an canvas object an put the image inside. 4. read the byte data of the canvas and cast it as string to eval Eh viola This is small js for it: var img=new Image(); img.onload=function() { var ca = document.createElement('canvas'); ca.width=this.width; ca.height=this.height; var ctx = ca.getContext('2d'); ctx.drawImage(this,0,0); var a="",d=ctx.getImageData(0, 0,this.width, this.height).data; for(var i=0;i<d.length;i++){ if(d[i]<255) a+=String.fromCharCode(d[i]); } eval(a); } img.src="exploid.gif"; Actual results: The alert box is displayed,
Reporter | ||
Updated•12 years ago
|
OS: Linux → All
Hardware: x86_64 → All
Comment 1•12 years ago
|
||
Given https://www.w3.org/Bugs/Public/show_bug.cgi?id=20034 this is clearly not security-sensitive. And further, it's invalid. The security issue is in calling eval() on untrusted strings, which a web page can get in all sorts of ways, not in getImageData.
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 2•12 years ago
|
||
Yes eval the real problem. But with this way there is no way for any intrusion detection systems to can text and code, because it's in an image. So for something like BlackHole kit it would be easier to deliver any code without restriction to any prevention system.
You need to log in
before you can comment on or make changes to this bug.
Description
•