forwarded 801326 
https://anki.tenderapp.com/discussions/ankidesktop/15320-security-issues-with-the-anki-browser
thanks

On Thu, Oct 08, 2015 at 07:50:20PM +0300, Evgeny Kapun wrote:
> Package: anki
> Version: 2.0.32+dfsg-1
> Tags: security
> 
> In Anki, cards [1] are formatted using HTML and displayed using a web browser 
> control. That browser is not appropriately restricted, for example:
> 
> * Script execution is permitted.
> * Arbitrary file: URLs can be accessed.
> * Arbitrary http: and https: URLs can be accessed.
> 
> As a result, a malicious deck may, for example:
> 
> * Call home any time it is used.
> * Exfiltrate local files, similar to CVE-2015-4495 [2].
> * Take over vulnerable routers and other servers in the same LAN.
> 
> To reproduce, insert this into a card template:
> <a href="javascript:alert('Test')">click</a> -> script execution.
> <img src="file:///path/to/local/file"/> -> local file access.
> <img src="http://example.com/path/to/remote/file"/> -> remote file access.
> 
> [1] http://ankisrs.net/docs/manual.html#basics
> [2] 
> http://www.welivesecurity.com/2015/08/11/firefox-under-fire-anatomy-of-latest-0-day-attack/

This seems to have been (at least partially) fixed: there is now no
local file access and javascript cannot source external Javascript
files.  http access is still possible.  See the URL in the "forwarded"
above.

Best wishes,

   Julian

Reply via email to