Drag-and-Drop and File Extension Bugs Enable Dropping of Malicious File
Categories
(Core :: DOM: Copy & Paste and Drag & Drop, defect)
Tracking
()
People
(Reporter: curtisk, Assigned: enndeakin)
References
Details
(Keywords: csectype-other, sec-moderate, Whiteboard: Disclosure planned by EOY 2013, Chrome bug public now [adv-main102+])
Attachments
(2 files, 1 obsolete file)
Date: Wed, 27 Feb 2013 09:13:37 -0800 (PST) From: Attila SUSZTER <asuszter@yahoo.com> Subject: Re: [BTS] Drag-and-Drop and File Extension Bugs Enable Opera to Drop Malicious File To: "DSK-383008@bugs.opera.com" <DSK-383008@bugs.opera.com> -----//----- Hi, [CC-ed Mozilla and Google security teams] Thanks for the additional information, and for the quick response. Google tracks this issue at https://code.google.com/p/chromium/issues/detail?id=177980 Even though the impact their side seems to be lower probably would be good to coordinate with them, too. Attila From: "DSK-383008@bugs.opera.com" <DSK-383008@bugs.opera.com> To: asuszter@yahoo.com Sent: Wednesday, 27 February 2013, 14:12 Subject: [BTS] Drag-and-Drop and File Extension Bugs Enable Opera to Drop Malicious File Hi, Thanks for your bug report; Drag-and-Drop and File Extension Bugs Enable Opera to Drop Malicious File We can reproduce the issue, and will look into how to get it fixed in a public release as soon as possible. In order to protect users from abuse, we ask that you refrain from publicising the issue until we have had a chance to fix it. The fault lies in Opera trusting the filename supplied by the page, instead of applying the appropriate filename for the file's mimetype. Note, however, that the dnd API allows a page to supply any data and any mimetype, while also allowing a custom drag image to be displayed. This would allow actual executables to be added as the drag data, and these could then be dragged to the system from any browser that supports the HTML5 dnd API, while making the user think they were dragging an image. Other browsers do try to protect against this by removing the harmful extensions, but while investigating your bug report, we discovered that this protection could be bypassed in Firefox (image.jpg.exe.exe will become image.jpg.exe). We will inform Mozilla of this issue, and coordinate our announcement with them. We would ask that you also refrain from announcing until both we and Mozilla have had a chance to fix this issue. For more information regarding Opera's security policies, you may look at the following links: http://www.opera.com/security/policy/ http://www.opera.com/security/rating/ http://my.opera.com/securitygroup/blog/2010/02/18/what-is-a-browser-security-issue-anyway Thanks again for your report. Tarquin Wilton-Jones Security Group Opera Software ASA Reply to this e-mail to respond to the query.
Assignee | ||
Comment 1•11 years ago
|
||
Can you post the original bug report as well? The comment above only includes the response.
Comment 2•11 years ago
|
||
I created another PoC based on Tarquin's idea. Open index.html via http and follow the instruction. It should work on Opera and Firefox, but doesn't work on Chrome.
Updated•11 years ago
|
Updated•11 years ago
|
Updated•11 years ago
|
Updated•11 years ago
|
Updated•11 years ago
|
Updated•9 years ago
|
Assignee | ||
Comment 3•2 years ago
|
||
Any remaining issues should have been fixed by 1746052.
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 4•2 years ago
|
||
Comment 5•2 years ago
|
||
Not sure if the info from comment 2 is still relevant being 9 years old. Drag and drop action on the file in question is blocked in the fixed version (tested with Fx 102, on Windows 10). Is this the expected behavior? If not, can you provide some applicable steps to be able to confirm the fix. Thank you!
Comment 6•2 years ago
|
||
Updated•2 years ago
|
Comment 7•2 years ago
|
||
Comment on attachment 9282672 [details] advisory.txt >Drag and drop of malicious image could have lead to malicious executable and potential code execution >Attila Suszter > >An attacker who could have convinced a user to drag and drop an image to a filesystem could have manipulated the resulting filename to contain an executable extension, and by extension potentially tricked the user into executing malicious code. While very similar, a separate issue from CVE-2022-XXXX.
Assignee | ||
Comment 8•2 years ago
|
||
I'm not sure that the testcase is relevant anymore. I assume at some point in the past, one could drag invalid images. The tests in the linked chrome bug also work fine.
Comment 9•2 years ago
|
||
(In reply to Neil Deakin from comment #8)
I'm not sure that the testcase is relevant anymore. I assume at some point in the past, one could drag invalid images. The tests in the linked chrome bug also work fine.
Thank you for your response. I will remove the qe+ from the bug in this case.
Updated•1 year ago
|
Description
•