- From: <bugzilla@jessica.w3.org>
- Date: Wed, 21 Nov 2012 05:52:50 +0000
- To: public-html@w3.org
https://www.w3.org/Bugs/Public/show_bug.cgi?id=20034 Bug ID: 20034 Summary: canvas getImageData opens security whole for code Classification: Unclassified Product: HTML WG Version: unspecified Hardware: All OS: All Status: NEW Severity: critical Priority: P2 Component: HTML Canvas 2D Context Assignee: jaymunro@microsoft.com Reporter: bertram@n-bis.de QA Contact: public-html-bugzilla@w3.org CC: mike@w3.org, public-html-wg-issue-tracking@w3.org, public-html@w3.org Created attachment 1249 --> https://www.w3.org/Bugs/Public/attachment.cgi?id=1249&action=edit sample image and html side With the canvas it is possible to read byte data out of an image. Images himself can come from different urls (hosts) without restriction. What happens when someone fill an image with code values as pixel data, load the image into an canvas and interpret it? He could execute code without any knowledge of any security prevention because the "code" are an image. What I've done is simple: 1. create an image where the pixel are the color representation of window['alert']('xss') this could be an gif, png... It depends of the color interpolation in the resulting image. 2. load the image into a web side 3. create an canvas object an put the image inside. 4. read the byte data of the canvas and cast it as string to eval Eh viola This is small js for it: var img=new Image(); img.onload=function() { var ca = document.createElement('canvas'); ca.width=this.width; ca.height=this.height; var ctx = ca.getContext('2d'); ctx.drawImage(this,0,0); var a="",d=ctx.getImageData(0, 0,this.width, this.height).data; for(var i=0;i<d.length;i++){ if(d[i]<255) a+=String.fromCharCode(d[i]); } eval(a); } img.src="exploid.gif"; -- You are receiving this mail because: You are on the CC list for the bug.
Received on Wednesday, 21 November 2012 05:52:52 UTC