Security Issues reported by Fortify scan
1,221 views
Skip to first unread message
Chetan
Jan 23, 2012, 4:53:36 AM1/23/12
to phonegap
Hi,
I ran a Fortify security scan on the Phonegap app, and got some
security issues in the framework code.
The scan was performed on version 1.3
1. Dynamic Code Evaluation: Code Injection
a. On phonegap.js line 618 - The below statement is vulnerable.
eval("var v="+r+";");
Issue :
The file phonegap-1.3.0.js interprets unvalidated user
input as source code on line 618. Interpreting user-controlled
instructions at run-time can allow attackers to execute malicious
code.
Recommendation :
Minimize the likelihood of attack by constraining the
code your program will execute dynamically as much as possible
2. Insecure Randomness
a. On phonegap.js line 884 - The below statement is vulnerable.
uuidchar = parseInt((Math.random() * 256),
0).toString(16);
Issue :
Standard pseudo-random number generators cannot
withstand cryptographic attacks.
Recommendation:
When unpredictability is critical, as is the case with
most security-sensitive uses of randomness, use a cryptographic PRNG.
Regardless of the PRNG you choose, always use a value with sufficient
entropy to seed the algorithm. (Values such as the current time offer
only negligible entropy and should not be used.)
3. Open Redirect.
a. On phonegap.js line 814 - The below statement is vulnerable.
xmlhttp.open("GET", "http://
127.0.0.1:"+PhoneGap.JSCallbackPort+"/"+PhoneGap.JSCallbackToken ,
true);
Issue :
The file phonegap-1.3.0.js passes unvalidated data to an
HTTP redirect function on line 814. Allowing unvalidated input to
control the URL used in a redirect can aid phishing attacks.
I understand that some of these may be false alarm or less critical
based on the context under which it is used.
However, how do I ensure that the above issues are addressed in the
next versions of Phonegap? How can i report such issues to the
phonegap development team?
Regards,
Chetan
I ran a Fortify security scan on the Phonegap app, and got some
security issues in the framework code.
The scan was performed on version 1.3
1. Dynamic Code Evaluation: Code Injection
a. On phonegap.js line 618 - The below statement is vulnerable.
eval("var v="+r+";");
Issue :
The file phonegap-1.3.0.js interprets unvalidated user
input as source code on line 618. Interpreting user-controlled
instructions at run-time can allow attackers to execute malicious
code.
Recommendation :
Minimize the likelihood of attack by constraining the
code your program will execute dynamically as much as possible
2. Insecure Randomness
a. On phonegap.js line 884 - The below statement is vulnerable.
uuidchar = parseInt((Math.random() * 256),
0).toString(16);
Issue :
Standard pseudo-random number generators cannot
withstand cryptographic attacks.
Recommendation:
When unpredictability is critical, as is the case with
most security-sensitive uses of randomness, use a cryptographic PRNG.
Regardless of the PRNG you choose, always use a value with sufficient
entropy to seed the algorithm. (Values such as the current time offer
only negligible entropy and should not be used.)
3. Open Redirect.
a. On phonegap.js line 814 - The below statement is vulnerable.
xmlhttp.open("GET", "http://
127.0.0.1:"+PhoneGap.JSCallbackPort+"/"+PhoneGap.JSCallbackToken ,
true);
Issue :
The file phonegap-1.3.0.js passes unvalidated data to an
HTTP redirect function on line 814. Allowing unvalidated input to
control the URL used in a redirect can aid phishing attacks.
I understand that some of these may be false alarm or less critical
based on the context under which it is used.
However, how do I ensure that the above issues are addressed in the
next versions of Phonegap? How can i report such issues to the
phonegap development team?
Regards,
Chetan
Simon MacDonald
Jan 27, 2012, 12:51:29 PM1/27/12
to phon...@googlegroups.com
You can report the issues here:
but I would not be concerned with these scan results. You have to remember that PhoneGap is running locally on your device and much less susceptible to attacks like websites.
Chetan
--
You received this message because you are subscribed to the Google
Groups "phonegap" group.
To post to this group, send email to phon...@googlegroups.com
To unsubscribe from this group, send email to
phonegap+u...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/phonegap?hl=en?hl=en
For more info on PhoneGap or to download the code go to www.phonegap.com
Reply all
Reply to author
Forward
0 new messages