Fixes are available
APAR status
Closed as program error.
Error description
A security vulnerability was discovered in Cordova Android. The vulnerability allows for malicious users to use an intent to start an application and modify preferences in the config.xml. The vulnerability is limited to modifying preferences that have not been set in config.xml. There are two ways to invoke the vulnerability. The following methods start out with a plain Cordova project. Build and run on device or emulator. Then kill the application. The first method executes from the command line: adb shell am start -n com.cordova.hello/.MainActivity --es fullscreen true The above will start the application with the package name "com.cordova.hello" and main activity "MainActivity", and tell the application to go fullscreen. The application will go fullscreen without the developer specifying to do so in the config.xml. There are other preferences that can be used which may be more apparent that the developer's application has been compromised, but nonetheless, this application was still compromised. The second method is through a script on a web page. The malicious user can redirect the page to the application and still using the intent, start the application with the specified preference changes. <script> setTimeout( function(){ location.href="intent:#Intent;S.fullscreen=true;SEL;component=co m.cordova.hello/.MainActivity;end;" },5000); </script> Both of these method have the same effect.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * All Android users that have applications made with Cordova. * **************************************************************** * PROBLEM DESCRIPTION: * * Malicious users are able to use intents to start an * * application and inject preferences that the developer did * * not specify, such as setting the loadUrlTimeoutValue to 1 * * making the application unable to open past 1 millisecond. * * This security vulnerability allows for remote exploits and * * might be dangerous especially with some third party plugins. * * If the preference is already set in config.xml, the * * malicious user cannot override with his/her preference. * **************************************************************** * RECOMMENDATION: * * - * ****************************************************************
Problem conclusion
Cordova applications will no longer be able to use intents to set preferences. All preferences should be set in the config.xml with the <preference> tag. Please refer to Cordova documentation for references. After installing the iFix, rebuild the Android application. If there are errors with preferences, move them to config.xml. Setting them elsewhere is no longer supported. Beware of Third Party plugins if they have preferences that can be set in config.xml.
Temporary fix
Comments
APAR Information
APAR number
PI41872
Reported component name
WL/MFPF CONSUME
Reported component ID
5725I4301
Reported release
506
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-05-27
Closed date
2015-07-28
Last modified date
2015-07-28
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WL/MFPF CONSUME
Fixed component ID
5725I4301
Applicable component levels
R505 PSY
UP
R506 PSY
UP
R600 PSY
UP
R610 PSY
UP
R620 PSY
UP
R630 PSY
UP
R700 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSZH4A","label":"IBM Worklight"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"506","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
14 October 2021