cordova-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From i..@apache.org
Subject svn commit: r1616301 - in /cordova/site: public/ public/announcements/2014/08/04/ public/announcements/2014/08/06/ public/blog/ www/_posts/
Date Wed, 06 Aug 2014 18:52:06 GMT
Author: ian
Date: Wed Aug  6 18:52:05 2014
New Revision: 1616301

URL: http://svn.apache.org/r1616301
Log:
Add Cordova-Android 3.5.1 Update blog post, and amend text of previous post

Added:
    cordova/site/public/announcements/2014/08/06/
    cordova/site/public/announcements/2014/08/06/android-351-update.html
    cordova/site/www/_posts/2014-08-06-android-351-update.md
Modified:
    cordova/site/public/announcements/2014/08/04/android-351.html
    cordova/site/public/blog/index.html
    cordova/site/public/index.html
    cordova/site/public/rss.xml
    cordova/site/www/_posts/2014-08-04-android-351.md

Modified: cordova/site/public/announcements/2014/08/04/android-351.html
URL: http://svn.apache.org/viewvc/cordova/site/public/announcements/2014/08/04/android-351.html?rev=1616301&r1=1616300&r2=1616301&view=diff
==============================================================================
--- cordova/site/public/announcements/2014/08/04/android-351.html (original)
+++ cordova/site/public/announcements/2014/08/04/android-351.html Wed Aug  6 18:52:05 2014
@@ -70,6 +70,8 @@
     <p class="meta">04 Aug 2014</p>
     <div class="post">
     
+<p><strong>Updated: 2014-08-06</strong> (The text of CVE-2014-3502 was
changed after this post was released, to better explain the cope of the issue and the ways
to mitigate the problem)</p>
+
 <p>Security issues were discovered in the Android platform of Cordova. We are releasing
version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android
applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other
Cordova platforms such as iOS are unaffected, and do not have an update.</p>
 
 <p>When using the Cordova CLI, the command to use 3.5.1 of Cordova Android is:</p>
@@ -114,6 +116,26 @@
 
 <p>Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.</p>
 <hr />
+<p>CVE-2014-3502: Cordova apps can potentially leak data to other apps via URL loading</p>
+
+<p>Severity: Medium</p>
+
+<p>Vendor: The Apache Software Foundation</p>
+
+<p>Versions Affected: Cordova Android versions up to 3.5.0</p>
+
+<p>Description: Android applications built with the Cordova framework can launch other
applications through the use of anchor tags, or by redirecting the webview to an Android intent
URL. An attacker who can manipulate the HTML content of a Cordova application can create links
which open other applications and send arbitrary data to those applications. An attacker who
can run arbitrary JavaScript code within the context of the Cordova application can also set
the document location to such a URL. By using this in concert with a second, vulnerable application,
an attacker might be able to use this method to send data from the Cordova application to
the network.</p>
+
+<p>The latest release of Cordova Android takes steps to block explicit Android intent
urls, so that they can no longer be used to start arbitrary applications on the device.</p>
+
+<p>Implicit intents, including URLs with schemes such as “tel”, “geo”,
and “sms” can still be used to open external applications by default, but this behaviour
can be overridden by plugins.</p>
+
+<p>Upgrade path: Developers who are concerned about this should rebuild their applications
with Cordova Android 3.5.1.</p>
+
+<p>Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.</p>
+
+<p>(This notice originally read as follows:)</p>
+
 <p>CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android
intent URLs</p>
 
 <p>Severity: Medium</p>

Added: cordova/site/public/announcements/2014/08/06/android-351-update.html
URL: http://svn.apache.org/viewvc/cordova/site/public/announcements/2014/08/06/android-351-update.html?rev=1616301&view=auto
==============================================================================
--- cordova/site/public/announcements/2014/08/06/android-351-update.html (added)
+++ cordova/site/public/announcements/2014/08/06/android-351-update.html Wed Aug  6 18:52:05
2014
@@ -0,0 +1,171 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <link rel="SHORTCUT ICON" href="//cordova.apache.org/favicon.ico"/>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <meta name = "format-detection" content = "telephone=no">
+    <meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1,
minimum-scale=1, width=device-width" />
+    <!-- Original Jekyll
+    <meta name="viewport" content="width=device-width">
+    -->
+    <title>Apache Cordova Android 3.5.1 Update</title>
+    <!-- syntax highlighting CSS -->
+    <link rel="stylesheet" href="//cordova.apache.org/css/syntax.css">
+    <!-- Custom CSS -->
+    <link rel="stylesheet" href="//cordova.apache.org/css/main.css">
+
+    <!-- Cordova CSS -->
+    <link rel="stylesheet" type="text/css" href="//cordova.apache.org/css/master.css">
+    <script src="//cordova.apache.org/js/smooth.pack.js" type="text/javascript"></script>
+    <script type="text/javascript">
+      var _gaq = _gaq || [];
+      _gaq.push(['_setAccount', 'UA-94271-30']);
+      _gaq.push(['_trackPageview']);
+      (function() {
+        var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async
= true;
+        ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www')
+ '.google-analytics.com/ga.js';
+        var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga,
s);
+      })();
+    </script>
+</head>
+
+<body>
+
+    <a class="scroll-point pt-top" name="top">
+</a>
+<div id="header">
+    <div class="wrap">
+        <a class="logo" href="//cordova.apache.org/#top"></a>
+        <div class="menu">
+            <a href="//cordova.apache.org/#about">About</a>
+            <a href="//cordova.apache.org/#news">News</a>
+            <a href="http://cordova.apache.org/docs/en/3.5.0/">Documentation</a>
+            <a href="http://plugins.cordova.io/">Plugins</a>
+            <a href="//cordova.apache.org/#links">Quick Links</a>
+            <a href="//cordova.apache.org/#contribute">Contribute</a>
+            <a href="//cordova.apache.org/#mailing-list">Mailing List</a>
+        </div>
+        <form class="menu-dropdown">
+            <select onchange="location = this.options[this.selectedIndex].value;">
+                <option value="//cordova.apache.org/#about">About</option>
+                <option value="//cordova.apache.org/#news">News</option>
+                <option value="http://cordova.apache.org/docs/en/3.5.0/">Documentation</option>
+                <option value="http://plugins.cordova.io/">Plugins</option>
+                <option value="//cordova.apache.org/#links">Quick Links</option>
+                <option value="//cordova.apache.org/#contribute">Contribute</option>
+                <option value="//cordova.apache.org/#mailing-list">Mailing List</option>
+            </select>
+        </form>
+    </div>
+    <div class="shadow"></div>
+</div> <!-- /header -->
+<div class="header-placeholder"></div>
+
+
+        <div class="site">
+    <h2>Apache Cordova Android 3.5.1 Update</h2>
+    <div class="meta">Posted by: <a href="https://twitter.com/iclelland">Ian
Clelland</a></div>
+    <p class="meta">06 Aug 2014</p>
+    <div class="post">
+    
+<p>On Monday, we released Cordova Android 3.5.1, to address a couple of security issues.
Afterwards, talking with the original researchers, we realized that the text of the security
announcement that went out wasn’t quite right, so we’ve amended it.</p>
+
+<p>You can read the amended blog post <a href="http://cordova.apache.org/announcements/2014/08/04/android-351.html">here</a>.</p>
+
+<p>The issue in CVE-2014-3502 is that Cordova applications would, by default, pass
any URLs that they couldn’t load to the Android intent system for handling. This lets
developers construct URLs that open email applications, maps, or send SMS messages, or even
open web pages in the system browser, but it also allowed malicious URLs that could potentially
open other applications on the device. This meant that if someone could execute their own
JavaScript in your application, that they could use other applications on the device to “phone
home” with the user’s data. This is why we are recommending that all Android developers
upgrade to Cordova 3.5.1.</p>
+<!--more-->
+<p>In order not to break existing applications, Cordova 3.5.1 disallows clearly malicious
URLs, but will still open links like <code>sms:</code>, <code>mailto:</code>,
or <code>geo:</code> in their default applications. (It is, after all, a useful
feature, and there are many published applications which rely on that behaviour.) If you want
to restrict that even further, you can use Cordova plugins to customize which URLs can be
loaded, and which URLs will be blocked completely.</p>
+
+<p>As a very simple example of this, I have published a sample plugin which blocks
all external applications from loading. To use it, install it like</p>
+
+<pre><code>cordova plugin add net.iclelland.external-app-block</code></pre>
+
+<p>or feel free to clone it from <a href="https://github.com/clelland/cordova-plugin-external-app-block">GitHub</a>
and tweak it to suit your needs.</p>
+
+<p>We’re hoping to have a more flexible solution built in to Cordova with the
next release, but in the meantime, the plugin system is powerful enough to allow you to control
this for your apps yourself.</p>
+
+    </div>
+</div>
+
+
+
+    <a class="scroll-point" name="links"></a>
+<hr/>
+
+<div class="wrap quick-links-pane">
+    <h2 class="icon icon-quick-links">Quick Links</h2>
+    <br/>
+    <ul class="quick-links-header">
+        <li>General</li>
+        <li>Development</li>
+        <li class="last">Apache Software Foundation</li>
+    </ul>
+    <div class="clear"></div>
+</div>
+
+<div class="grid">
+    <div class="wrap">
+        <div class="list-container">
+            <ul class="list quick-links">
+                <li class="corner"></li>
+                <li><a href="//cordova.apache.org/index.html#about">About Cordova<span></span></a></li>
+
+                
+                <li><a href="http://projects.apache.org/projects/cordova.html">Apache
Project Page<span></span></a></li>
+                
+                <li><a href="http://www.apache.org/licenses/LICENSE-2.0">License<span></span></a></li>
+                
+
+                <li><a href="//cordova.apache.org/artwork.html">Artwork<span></span></a></li>
+            </ul>
+
+            <ul class="list quick-links">
+                <li class="corner"></li>
+                <li><a href="//cordova.apache.org/index.html#download">Download<span></span></a></li>
+                <li><a href="http://cordova.apache.org/docs/en/3.5.0/">Documentation<span></span></a></li>
+
+                
+                <li><a href="https://git-wip-us.apache.org/repos/asf">Source
Code<span></span></a></li>
+                
+                <li><a href="https://issues.apache.org/jira/browse/CB">Issue
Tracker<span></span></a></li>
+                
+                <li><a href="http://wiki.apache.org/cordova/">Wiki<span></span></a></li>
+                
+
+                <li><a href="//cordova.apache.org/index.html#mailing-list">Mailing
List<span></span></a></li>
+
+                <li><a href="http://stackoverflow.com/tags/cordova">Support<span></span></a></li>
+            </ul>
+
+            <ul class="list quick-links last">
+                <li class="corner"></li>
+                
+                <li><a href="http://www.apache.org/">About ASF<span></span></a></li>
+                
+                <li><a href="http://www.apache.org/foundation/thanks.html">Thanks<span></span></a></li>
+                
+                <li><a href="http://www.apache.org/foundation/sponsorship.html">Become
a Sponsor<span></span></a></li>
+                
+                <li><a href="http://www.apache.org/security/">Security<span></span></a></li>
+                
+            </ul>
+
+            <div class="clear"></div>
+        </div>
+    </div>
+</div>
+
+
+    <hr/>
+<div id="footer">
+    <p>Copyright © 2012, 2013 The Apache Software Foundation, Licensed under the
<a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.<br/>
+    Apache and the Apache feather logos are <a href="http://www.apache.org/foundation/marks/list/">trademarks</a>
of The Apache Software Foundation.
+    </p>
+    <a class="closing" href="#top"></a>
+</div>
+
+
+</body>
+</html>

Modified: cordova/site/public/blog/index.html
URL: http://svn.apache.org/viewvc/cordova/site/public/blog/index.html?rev=1616301&r1=1616300&r2=1616301&view=diff
==============================================================================
--- cordova/site/public/blog/index.html (original)
+++ cordova/site/public/blog/index.html Wed Aug  6 18:52:05 2014
@@ -69,6 +69,11 @@
 <ul class="posts">
   
     <li>
+    <span>06 Aug 2014</span> &raquo;
+    <a href="//cordova.apache.org/announcements/2014/08/06/android-351-update.html">Apache
Cordova Android 3.5.1 Update</a>
+    </li>
+  
+    <li>
     <span>04 Aug 2014</span> &raquo;
     <a href="//cordova.apache.org/announcements/2014/08/04/android-351.html">Apache
Cordova Android 3.5.1</a>
     </li>

Modified: cordova/site/public/index.html
URL: http://svn.apache.org/viewvc/cordova/site/public/index.html?rev=1616301&r1=1616300&r2=1616301&view=diff
==============================================================================
--- cordova/site/public/index.html (original)
+++ cordova/site/public/index.html Wed Aug  6 18:52:05 2014
@@ -101,8 +101,20 @@
   <h2>News <a href="/rss.xml" style="font-size:12pt; margin-left:10px">Subscribe</a></h2>
   <ul class="posts">
     
+      <li><span>06 Aug 2014</span> &raquo; <a href="//cordova.apache.org/announcements/2014/08/06/android-351-update.html">Apache
Cordova Android 3.5.1 Update</a>
+      
+<p>On Monday, we released Cordova Android 3.5.1, to address a couple of security issues.
Afterwards, talking with the original researchers, we realized that the text of the security
announcement that went out wasn’t quite right, so we’ve amended it.</p>
+
+<p>You can read the amended blog post <a href="http://cordova.apache.org/announcements/2014/08/04/android-351.html">here</a>.</p>
+
+<p>The issue in CVE-2014-3502 is that Cordova applications would, by default, pass
any URLs that they couldn’t load to the Android intent system for handling. This lets
developers construct URLs that open email applications, maps, or send SMS messages, or even
open web pages in the system browser, but it also allowed malicious URLs that could potentially
open other applications on the device. This meant that if someone could execute their own
JavaScript in your application, that they could use other applications on the device to “phone
home” with the user’s data. This is why we are recommending that all Android developers
upgrade to Cordova 3.5.1.</p>
+
+      <div style="padding-bottom:2em"><a href="//cordova.apache.org/announcements/2014/08/06/android-351-update.html">Read
More</a></div>
+    
       <li><span>04 Aug 2014</span> &raquo; <a href="//cordova.apache.org/announcements/2014/08/04/android-351.html">Apache
Cordova Android 3.5.1</a>
       
+<p><strong>Updated: 2014-08-06</strong> (The text of CVE-2014-3502 was
changed after this post was released, to better explain the cope of the issue and the ways
to mitigate the problem)</p>
+
 <p>Security issues were discovered in the Android platform of Cordova. We are releasing
version 3.5.1 of Cordova Android to address these security issues. We recommend that all Android
applications built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other
Cordova platforms such as iOS are unaffected, and do not have an update.</p>
 
 <p>When using the Cordova CLI, the command to use 3.5.1 of Cordova Android is:</p>
@@ -160,39 +172,6 @@ npm install -g plugman</code></pre>
 
       <div style="padding-bottom:2em"><a href="//cordova.apache.org/news/2014/07/10/tools-release.html">Read
More</a></div>
     
-      <li><span>08 Jul 2014</span> &raquo; <a href="//cordova.apache.org/news/2014/07/08/plugins-release.html">Plugins
Release: July 8, 2014</a>
-      
-<p>The following plugins were updated today:</p>
-
-<ul>
-<li>cordova-plugin-contacts: 0.2.11</li>
-
-<li>cordova-plugin-network-information: 0.2.10</li>
-</ul>
-
-<p>Notable changes include:</p>
-
-<ul>
-<li>The network-information plugin no longer crashes immediately if no network is available</li>
-
-<li><code>navigator.contacts.pickContact</code> API has been added for
<strong>Android</strong>, <strong>iOS</strong>, <strong>Windows
Phone 8</strong> and <strong>Windows 8</strong> platforms</li>
-
-<li><code>navigator.contacts.find</code> API on <strong>Android</strong>,
<strong>iOS</strong> and <strong>Windows Phone 8</strong> now supports
<code>desiredFields</code> which specifies contact fields to be returned</li>
-
-<li>Contacts on <strong>Firefox OS</strong> no longer requires manual change
of the application permissions</li>
-</ul>
-
-<p>The plugins have been updated on our registry at <a href="http://plugins.cordova.io/">plugins.cordova.io</a>.</p>
-<hr />
-<p>You can update any plugin by removing it, and then re-adding it. E.g. To update
your contacts plugin:</p>
-
-<pre><code>cordova plugin rm org.apache.cordova.contacts
-cordova plugin add org.apache.cordova.contacts</code></pre>
-
-<p>Other changes include:</p>
-
-      <div style="padding-bottom:2em"><a href="//cordova.apache.org/news/2014/07/08/plugins-release.html">Read
More</a></div>
-    
   </ul>
   
   <p>

Modified: cordova/site/public/rss.xml
URL: http://svn.apache.org/viewvc/cordova/site/public/rss.xml?rev=1616301&r1=1616300&r2=1616301&view=diff
==============================================================================
--- cordova/site/public/rss.xml (original)
+++ cordova/site/public/rss.xml Wed Aug  6 18:52:05 2014
@@ -5,8 +5,8 @@
         <description>Apache Cordova - Apache Cordova is a set of device APIs that allow
a web mobile app developer to access native device function from JavaScript.</description>
         <atom:link href="http://cordova.apache.org/rss.xml" rel="self" type="application/rss+xml"
/>
         <link>http://cordova.apache.org/rss.xml</link>
-        <lastBuildDate>Mon, 04 Aug 2014 14:34:03 -0700</lastBuildDate>
-        <pubDate>Mon, 04 Aug 2014 14:34:03 -0700</pubDate>
+        <lastBuildDate>Wed, 06 Aug 2014 14:35:38 -0400</lastBuildDate>
+        <pubDate>Wed, 06 Aug 2014 14:35:38 -0400</pubDate>
         <ttl>1800</ttl>
         <image>
             <url>http://cordova.apache.org</url>
@@ -19,8 +19,34 @@
 
 
         <item>
+                <title>Apache Cordova Android 3.5.1 Update</title>
+                <description>
+&lt;p&gt;On Monday, we released Cordova Android 3.5.1, to address a couple of security
issues. Afterwards, talking with the original researchers, we realized that the text of the
security announcement that went out wasn’t quite right, so we’ve amended it.&lt;/p&gt;
+
+&lt;p&gt;You can read the amended blog post &lt;a href=&quot;http://cordova.apache.org/announcements/2014/08/04/android-351.html&quot;&gt;here&lt;/a&gt;.&lt;/p&gt;
+
+&lt;p&gt;The issue in CVE-2014-3502 is that Cordova applications would, by default,
pass any URLs that they couldn’t load to the Android intent system for handling. This
lets developers construct URLs that open email applications, maps, or send SMS messages, or
even open web pages in the system browser, but it also allowed malicious URLs that could potentially
open other applications on the device. This meant that if someone could execute their own
JavaScript in your application, that they could use other applications on the device to “phone
home” with the user’s data. This is why we are recommending that all Android developers
upgrade to Cordova 3.5.1.&lt;/p&gt;
+&lt;!--more--&gt;
+&lt;p&gt;In order not to break existing applications, Cordova 3.5.1 disallows clearly
malicious URLs, but will still open links like &lt;code&gt;sms:&lt;/code&gt;,
&lt;code&gt;mailto:&lt;/code&gt;, or &lt;code&gt;geo:&lt;/code&gt;
in their default applications. (It is, after all, a useful feature, and there are many published
applications which rely on that behaviour.) If you want to restrict that even further, you
can use Cordova plugins to customize which URLs can be loaded, and which URLs will be blocked
completely.&lt;/p&gt;
+
+&lt;p&gt;As a very simple example of this, I have published a sample plugin which
blocks all external applications from loading. To use it, install it like&lt;/p&gt;
+
+&lt;pre&gt;&lt;code&gt;cordova plugin add net.iclelland.external-app-block&lt;/code&gt;&lt;/pre&gt;
+
+&lt;p&gt;or feel free to clone it from &lt;a href=&quot;https://github.com/clelland/cordova-plugin-external-app-block&quot;&gt;GitHub&lt;/a&gt;
and tweak it to suit your needs.&lt;/p&gt;
+
+&lt;p&gt;We’re hoping to have a more flexible solution built in to Cordova with
the next release, but in the meantime, the plugin system is powerful enough to allow you to
control this for your apps yourself.&lt;/p&gt;
+</description>
+                <link>http://cordova.apache.org/announcements/2014/08/06/android-351-update.html</link>
+                <guid>http://cordova.apache.org/announcements/2014/08/06/android-351-update</guid>
+                <pubDate>Wed, 06 Aug 2014</pubDate>
+        </item>
+
+        <item>
                 <title>Apache Cordova Android 3.5.1</title>
                 <description>
+&lt;p&gt;&lt;strong&gt;Updated: 2014-08-06&lt;/strong&gt; (The text
of CVE-2014-3502 was changed after this post was released, to better explain the cope of the
issue and the ways to mitigate the problem)&lt;/p&gt;
+
 &lt;p&gt;Security issues were discovered in the Android platform of Cordova. We are
releasing version 3.5.1 of Cordova Android to address these security issues. We recommend
that all Android applications built using Cordova be upgraded to use version 3.5.1 of Cordova
Android. Other Cordova platforms such as iOS are unaffected, and do not have an update.&lt;/p&gt;
 
 &lt;p&gt;When using the Cordova CLI, the command to use 3.5.1 of Cordova Android
is:&lt;/p&gt;
@@ -65,6 +91,26 @@
 
 &lt;p&gt;Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security
Systems.&lt;/p&gt;
 &lt;hr /&gt;
+&lt;p&gt;CVE-2014-3502: Cordova apps can potentially leak data to other apps via
URL loading&lt;/p&gt;
+
+&lt;p&gt;Severity: Medium&lt;/p&gt;
+
+&lt;p&gt;Vendor: The Apache Software Foundation&lt;/p&gt;
+
+&lt;p&gt;Versions Affected: Cordova Android versions up to 3.5.0&lt;/p&gt;
+
+&lt;p&gt;Description: Android applications built with the Cordova framework can launch
other applications through the use of anchor tags, or by redirecting the webview to an Android
intent URL. An attacker who can manipulate the HTML content of a Cordova application can create
links which open other applications and send arbitrary data to those applications. An attacker
who can run arbitrary JavaScript code within the context of the Cordova application can also
set the document location to such a URL. By using this in concert with a second, vulnerable
application, an attacker might be able to use this method to send data from the Cordova application
to the network.&lt;/p&gt;
+
+&lt;p&gt;The latest release of Cordova Android takes steps to block explicit Android
intent urls, so that they can no longer be used to start arbitrary applications on the device.&lt;/p&gt;
+
+&lt;p&gt;Implicit intents, including URLs with schemes such as “tel”, “geo”,
and “sms” can still be used to open external applications by default, but this behaviour
can be overridden by plugins.&lt;/p&gt;
+
+&lt;p&gt;Upgrade path: Developers who are concerned about this should rebuild their
applications with Cordova Android 3.5.1.&lt;/p&gt;
+
+&lt;p&gt;Credit: This issue was discovered by David Kaplan and Roee Hay of IBM Security
Systems.&lt;/p&gt;
+
+&lt;p&gt;(This notice originally read as follows:)&lt;/p&gt;
+
 &lt;p&gt;CVE-2014-3502: Cordova apps can potentially leak data to other apps via
Android intent URLs&lt;/p&gt;
 
 &lt;p&gt;Severity: Medium&lt;/p&gt;

Modified: cordova/site/www/_posts/2014-08-04-android-351.md
URL: http://svn.apache.org/viewvc/cordova/site/www/_posts/2014-08-04-android-351.md?rev=1616301&r1=1616300&r2=1616301&view=diff
==============================================================================
--- cordova/site/www/_posts/2014-08-04-android-351.md (original)
+++ cordova/site/www/_posts/2014-08-04-android-351.md Wed Aug  6 18:52:05 2014
@@ -8,6 +8,9 @@ categories: announcements
 tags: news releases security
 ---
 
+**Updated: 2014-08-06**
+(The text of CVE-2014-3502 was changed after this post was released, to better explain the
cope of the issue and the ways to mitigate the problem)
+
 Security issues were discovered in the Android platform of Cordova. We are releasing version
3.5.1 of Cordova Android to address these security issues. We recommend that all Android applications
built using Cordova be upgraded to use version 3.5.1 of Cordova Android. Other Cordova platforms
such as iOS are unaffected, and do not have an update.
 
 When using the Cordova CLI, the command to use 3.5.1 of Cordova Android is:
@@ -95,6 +98,47 @@ This issue was discovered by David Kapla
 
 ____
 
+CVE-2014-3502: Cordova apps can potentially leak data to other apps via URL
+loading
+
+
+Severity: Medium
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+Cordova Android versions up to 3.5.0
+
+Description:
+Android applications built with the Cordova framework can launch other
+applications through the use of anchor tags, or by redirecting the webview to
+an Android intent URL. An attacker who can manipulate the HTML content of a
+Cordova application can create links which open other applications and send
+arbitrary data to those applications. An attacker who can run arbitrary
+JavaScript code within the context of the Cordova application can also set the
+document location to such a URL. By using this in concert with a second,
+vulnerable application, an attacker might be able to use this method to send
+data from the Cordova application to the network.
+
+The latest release of Cordova Android takes steps to block explicit Android
+intent urls, so that they can no longer be used to start arbitrary applications
+on the device.
+
+Implicit intents, including URLs with schemes such as "tel", "geo", and "sms"
+can still be used to open external applications by default, but this behaviour
+can be overridden by plugins.
+
+Upgrade path:
+Developers who are concerned about this should rebuild their applications with
+Cordova Android 3.5.1.
+
+Credit:
+This issue was discovered by David Kaplan and Roee Hay of IBM Security Systems.
+
+
+(This notice originally read as follows:)
+
 CVE-2014-3502: Cordova apps can potentially leak data to other apps via Android
 intent URLs
 

Added: cordova/site/www/_posts/2014-08-06-android-351-update.md
URL: http://svn.apache.org/viewvc/cordova/site/www/_posts/2014-08-06-android-351-update.md?rev=1616301&view=auto
==============================================================================
--- cordova/site/www/_posts/2014-08-06-android-351-update.md (added)
+++ cordova/site/www/_posts/2014-08-06-android-351-update.md Wed Aug  6 18:52:05 2014
@@ -0,0 +1,27 @@
+---
+layout: post
+author:
+    name: Ian Clelland
+    url: https://twitter.com/iclelland
+title:  "Apache Cordova Android 3.5.1 Update"
+categories: announcements
+tags: news releases security
+---
+
+On Monday, we released Cordova Android 3.5.1, to address a couple of security issues. Afterwards,
talking with the original researchers, we realized that the text of the security announcement
that went out wasn't quite right, so we've amended it.
+
+You can read the amended blog post [here](http://cordova.apache.org/announcements/2014/08/04/android-351.html).
+
+The issue in CVE-2014-3502 is that Cordova applications would, by default, pass any URLs
that they couldn't load to the Android intent system for handling. This lets developers construct
URLs that open email applications, maps, or send SMS messages, or even open web pages in the
system browser, but it also allowed malicious URLs that could potentially open other applications
on the device. This meant that if someone could execute their own JavaScript in your application,
that they could use other applications on the device to "phone home" with the user's data.
This is why we are recommending that all Android developers upgrade to Cordova 3.5.1.
+
+<!--more-->
+
+In order not to break existing applications, Cordova 3.5.1 disallows clearly malicious URLs,
but will still open links like `sms:`, `mailto:`, or `geo:` in their default applications.
(It is, after all, a useful feature, and there are many published applications which rely
on that behaviour.) If you want to restrict that even further, you can use Cordova plugins
to customize which URLs can be loaded, and which URLs will be blocked completely.
+
+As a very simple example of this, I have published a sample plugin which blocks all external
applications from loading. To use it, install it like
+
+    cordova plugin add net.iclelland.external-app-block
+
+or feel free to clone it from [GitHub](https://github.com/clelland/cordova-plugin-external-app-block)
and tweak it to suit your needs.
+
+We're hoping to have a more flexible solution built in to Cordova with the next release,
but in the meantime, the plugin system is powerful enough to allow you to control this for
your apps yourself.



Mime
View raw message