exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Cordova Bypass / Information Disclosure / Insertion

Apache Cordova Bypass / Information Disclosure / Insertion
Posted Aug 5, 2014
Authored by Roee Hay, David Kaplan

Apache Cordova versions up to 3.5.0 suffer from information disclosure, whitelist bypass, and cross application issues.

tags | advisory, bypass, info disclosure
advisories | CVE-2014-3500, CVE-2014-3501, CVE-2014-3502
SHA-256 | b40574101ee277ded07c47ea5ed1519dd4879415cb724ee5af90126d1af3c686

Apache Cordova Bypass / Information Disclosure / Insertion

Change Mirror Download
Android Platform Release: 04 Aug 2014

Security issues were discovered in the Android platform of Cordova. We are releasing version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms such as iOS are unaffected, and do not have an update.

The security issues are CVE-2014-3500, CVE-2014-3501, and CVE-2014-3502.

For your convenience, the text of these CVEs is included here.

A blog post is available at http://cordova.apache.org/#news


CVE-2014-3500: Cordova cross-application scripting via Android intent URLs


Severity: High

Vendor:
The Apache Software Foundation

Versions Affected:
Cordova Android versions up to 3.5.0

Description:
Android applications built with the Cordova framework can be launched through
a special intent URL. A specially-crafted URL could cause the Cordova-based
application to start up with a different start page than the developer
intended, including other HTML content stored on the Android device. This has
been the case in all released versions of Cordova up to 3.5.0, and has been
fixed in the latest release (3.5.1). We recommend affected projects update
their applications to the latest release.

Upgrade path:
Developers who are concerned about this should rebuild their applications with
Cordova Android 3.5.1.

Credit:
This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.


CVE-2014-3501: Cordova whitelist bypass for non-HTTP URLs


Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
All released Cordova Android versions

Description:
Android applications built with the Cordova framework use a WebView component
to display content. Cordova applications can specify a whitelist of URLs which
the application will be allowed to display, or to communicate with via
XMLHttpRequest. This whitelist, however, is not used by the WebView component
when it is directed via JavaScript to communicate over non-http channels.

Specifically, it can be possible to open a WebSocket connection from the
application JavaScript which will connect to any reachable server on the
Internet. If an attacker is able to execute arbitrary JavaScript within the
application, then that attacker can cause a connection to be opened to any
server, bypassing the HTTP whitelist.

This is a limitation of the hybrid app architecture on Android in general, and
not specific to Apache Cordova.

It is possible to mitigate this attack vector by adding a CSP meta tag to all
HTML pages in the application, to allow connections only to trusted sources.
App developers should also upgrade to Cordova Android 3.5.1, to reduce the risk
of XAS attacks against their applications, which could then use this mechanism
to reach unintended servers. See CVE-2014-3500 for more information on a
possible XAS vulnerability.

Upgrade path:
Developers who are concerned about this should rebuild their applications with
Cordova Android 3.5.1, and consider adding CSP meta tags to their application
HTML.

Credit:
This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.


CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android
intent URLs


Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
Cordova Android versions up to 3.5.0

Description:
Android applications built with the Cordova framework can launch other
applications through the use of anchor tags, or by redirecting the webview to
an Android intent URL. An attacker who can manipulate the HTML content of a
Cordova application can create links which open other applications and send
arbitrary data to those applications. An attacker who can run arbitrary
JavaScript code within the context of the Cordova application can also set the
document location to such a URL. By using this in concert with a second,
vulnerable application, an attacker might be able to use this method to send
data from the Cordova application to the network.

The latest release of Cordova Android takes steps to block explicit Android
intent urls, so that they can no longer be used to start arbitrary applications
on the device.

Upgrade path:
Developers who are concerned about this should rebuild their applications with
Cordova Android 3.5.1.

Credit:
This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close