Google Chrome 'chromeHTML://' Command Line Parameter Injection Vulnerability

Google Chrome is prone to a vulnerability that lets attackers inject command-line parameters through protocol handlers. This issue occurs because the application fails to adequately sanitize user-supplied input.

Exploiting this issue would permit remote attackers to influence command options that can be called through the vulnerable protocol handler and to execute commands and arbitrary code with the privileges of a user running the application.

Google Chrome 1.0.154.36 is vulnerable; other versions may also be affected.

Update (January 30, 2009): This issue occurs when the argument '--no-sandbox' is included in the URI passed to Google Chrome.


 

Privacy Statement
Copyright 2010, SecurityFocus