lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 11 Aug 2014 18:09:59 -0400
From: Marcel Kinard <cmarcelk@...il.com>
To: dev@...dova.apache.org, security@...che.org,
  oss-security@...ts.openwall.com, bugtraq@...urityfocus.com
Subject: Apache Cordova 3.5.1: CVE-2014-3502 update

The following text is amended from the original that was sent on August 4th. More background information on this amendment can be found at http://cordova.apache.org/announcements/2014/08/06/android-351-update.html

Android Platform Release: 04 Aug 2014

CVE-2014-3502: Cordova apps can potentially leak data to other apps via URL
loading


Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
Cordova Android versions up to 3.5.0

Description:
Android applications built with the Cordova framework can launch other
applications through the use of anchor tags, or by redirecting the webview to
an Android intent URL. An attacker who can manipulate the HTML content of a
Cordova application can create links which open other applications and send
arbitrary data to those applications. An attacker who can run arbitrary
JavaScript code within the context of the Cordova application can also set the
document location to such a URL. By using this in concert with a second,
vulnerable application, an attacker might be able to use this method to send
data from the Cordova application to the network.

The latest release of Cordova Android takes steps to block explicit Android
intent urls, so that they can no longer be used to start arbitrary applications
on the device.

Implicit intents, including URLs with schemes such as "tel", "geo", and "sms"
can still be used to open external applications by default, but this behaviour
can be overridden by plugins.

Upgrade path:
Developers who are concerned about this should rebuild their applications with
Cordova Android 3.5.1.

Credit:
This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ