forwarded 801326
https://anki.tenderapp.com/discussions/ankidesktop/15320-security-issues-with-the-anki-browser
thanks
On Thu, Oct 08, 2015 at 07:50:20PM +0300, Evgeny Kapun wrote:
> Package: anki
> Version: 2.0.32+dfsg-1
> Tags: security
>
> In Anki, cards [1] are formatted using HTML and displayed using a web browser
> control. That browser is not appropriately restricted, for example:
>
> * Script execution is permitted.
> * Arbitrary file: URLs can be accessed.
> * Arbitrary http: and https: URLs can be accessed.
>
> As a result, a malicious deck may, for example:
>
> * Call home any time it is used.
> * Exfiltrate local files, similar to CVE-2015-4495 [2].
> * Take over vulnerable routers and other servers in the same LAN.
>
> To reproduce, insert this into a card template:
> <a href="javascript:alert('Test')">click</a> -> script execution.
> <img src="file:///path/to/local/file"/> -> local file access.
> <img src="http://example.com/path/to/remote/file"/> -> remote file access.
>
> [1] http://ankisrs.net/docs/manual.html#basics
> [2]
> http://www.welivesecurity.com/2015/08/11/firefox-under-fire-anatomy-of-latest-0-day-attack/
This seems to have been (at least partially) fixed: there is now no
local file access and javascript cannot source external Javascript
files. http access is still possible. See the URL in the "forwarded"
above.
Best wishes,
Julian