Google Chrome Arbitrary File Download Vulnerability

Bugtraq ID:	31000
Class:	Design Error
CVE:	CVE-2008-6996
Remote:	Yes
Local:	No
Published:	Sep 03 2008 12:00AM
Updated:	May 07 2015 05:24PM
Credit:	nerex
Vulnerable:	Google Chrome 0.2.149 .27
Not Vulnerable:

Google Chrome Arbitrary File Download Vulnerability

Google Chrome is prone to a security vulnerability because the application allows users to download arbitrary files without confirmation.

This issue may allow attackers to perform social-engineering or other attacks to trick users into downloading a malicious file.

Google Chrome Arbitrary File Download Vulnerability

Attackers can use social engineering or other techniques to trick an unsuspecting user into downloading a malicious file.

UPDATE (March 30, 2009): This issue is being exploited in the wild.

The following examples are available:

• /data/vulnerabilities/exploits/31000.html
• /data/vulnerabilities/exploits/31000-2.html

Google Chrome Arbitrary File Download Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Google Chrome Arbitrary File Download Vulnerability

References:

• Google Chrome Homepage (Google)
  
• Google Chrome Auto download exploit .. ([email protected])
  
• Google Chrome Automatic File Download ([email protected])
  
• RE: Google Chrome Automatic File Download (James C. Slora Jr. )
  
• RES: Google Chrome Automatic File Download (DIOGO LEAL CHAGAS )