CVE-2016-5135 in Chromeinfo

Summary

by MITRE

WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp in Blink, as used in Google Chrome before 52.0.2743.82, does not consider referrer-policy information inside an HTML document during a preload request, which allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via a crafted web site, as demonstrated by a "Content-Security-Policy: referrer origin-when-cross-origin" header that overrides a "" element.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 09/09/2022

The vulnerability identified as CVE-2016-5135 resides within the Blink rendering engine's HTML parser component, specifically in the HTMLPreloadScanner.cpp file. This flaw represents a critical security issue that affects Google Chrome versions prior to 52.0.2743.82, where the browser's handling of preload requests fails to properly consider referrer-policy information contained within HTML documents. The vulnerability stems from the fact that Blink's preload scanner operates without evaluating the referrer policy directives that may be present in the document, creating a potential bypass of Content Security Policy protections that should otherwise prevent unauthorized data leakage.

The technical implementation of this vulnerability involves the preload scanner's failure to process referrer policy information during the HTML parsing phase. When a web page contains a referrer-policy directive within its HTML document, this information should influence how referrer information is handled during subsequent requests, including preload requests. However, the Blink engine's HTMLPreloadScanner.cpp implementation ignores this directive, allowing attackers to craft malicious websites that can circumvent the Content Security Policy mechanisms. This behavior creates a situation where a "Content-Security-Policy: referrer origin-when-cross-origin" header can be overridden by a simple "" element, effectively neutralizing the security protections intended to control referrer information flow.

The operational impact of this vulnerability extends beyond simple policy bypass, as it enables remote attackers to potentially extract sensitive information that should otherwise be protected by the referrer policy mechanisms. The vulnerability operates through a specific attack vector where an attacker can manipulate the preload request behavior to bypass CSP protections that are designed to control how referrer information flows between different origins. This weakness particularly affects scenarios where websites implement strict referrer policies to prevent leakage of sensitive information, such as authentication tokens or session identifiers, to third-party domains. The flaw essentially allows attackers to bypass the intended security boundaries that should prevent unauthorized referrer information disclosure during resource preloading operations.

Security professionals should note that this vulnerability aligns with CWE-200, which covers the exposure of sensitive information, and can be categorized under ATT&CK technique T1071.004 for application layer protocol: DNS. The vulnerability demonstrates a failure in proper input validation and processing within the browser's HTML parsing pipeline, where the system fails to properly evaluate security directives that should guide request behavior. Organizations should implement immediate mitigations including updating to Chrome version 52.0.2743.82 or later, where the vulnerability has been patched. Additionally, administrators should review their CSP implementations to ensure that referrer policy directives are properly enforced and that the browser's preload functionality is not being exploited to bypass these protections. The patch addresses the core issue by ensuring that referrer policy information is properly considered during preload requests, thereby maintaining the integrity of the Content Security Policy enforcement mechanisms.

Reservation

05/31/2016

Disclosure

07/23/2016

Moderation

accepted

Entry

VDB-90243

CPE

ready

EPSS

0.01604

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!