Package: anki
Version: 2.0.32+dfsg-1
Tags: security
In Anki, cards [1] are formatted using HTML and displayed using a web browser
control. That browser is not appropriately restricted, for example:
* Script execution is permitted.
* Arbitrary file: URLs can be accessed.
* Arbitrary http: and https: URLs can be accessed.
As a result, a malicious deck may, for example:
* Call home any time it is used.
* Exfiltrate local files, similar to CVE-2015-4495 [2].
* Take over vulnerable routers and other servers in the same LAN.
To reproduce, insert this into a card template:
<a href="javascript:alert('Test')">click</a> -> script execution.
<img src="file:///path/to/local/file"/> -> local file access.
<img src="http://example.com/path/to/remote/file"/> -> remote file access.
[1] http://ankisrs.net/docs/manual.html#basics
[2]
http://www.welivesecurity.com/2015/08/11/firefox-under-fire-anatomy-of-latest-0-day-attack/
