OSVDB/102781漏洞详情 - SCAP中文社区

OSVDB

- 漏洞信息

OSVDBID: 102781
漏洞名称:Apache Cordova / PhoneGap on Android Dynamic Bridge Mechanism Loading Domain Whitelist Bypass
漏洞位置: Context Dependent, Mobile Phone / Hand-held Device	利用方式: Input Manipulation
漏洞影响:Loss of Integrity	解决方式:Third-Party Solution
漏洞利用:Exploit Unknown	公开方式:No Vendor Response

- 漏洞描述

Apache Cordova and PhoneGap contain a flaw that is triggered when handling a malformed script running in an iframe, which can allow the script to choose any vulnerable bridge mechanisms via addJavascriptInterface or loadUrl at runtime. This may allow a context-dependent attacker to bypass the domain whitelist.

- 时间线

公开日期: 2014-01-24	发现日期: Unknow
利用日期:Unknow	解决日期:Unknow

- 解决方案

Currently, there are no known workarounds or vendor upgrades to correct this issue. However, the researchers who disclosed this issue have released 'NoFrak', which they claim fixes this vulnerability. As with all third-party solutions, ensure they come from a reliable source and are permitted under your company's security policy.

- 相关参考

Related OSVDB ID: 102782 102783 1269627
Vendor URL: http://cordova.apache.org/
http://phonegap.com/
Packet Storm: http://packetstormsecurity.com/files/124954/Apache-Cordova-PhoneGap-Whitelist-Bypass.html
Mail List Post: http://seclists.org/bugtraq/2014/Jan/96
Other Advisory URL: http://www.cs.utexas.edu/~shmat/shmat_ndss14nofrak.pdf
Other Solution URL: https://github.com/georgiev-martin/NoFrak

- 漏洞作者

Unknown or Incomplete

CVE数据库

检索CVE

关于CVE

CVE资源

Wise Words

设计是一个发现问题，而不是发现解决方案的过程。

-- Leslie Chicoine

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息，请查阅[关于本站]。

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标，它们的官方数据源均保存在MITRE公司的相关网站。

CVE 通用漏洞与披露Common Vulnerabilities and Exposures