KDE: 2 Konqueror vulnerabilities
Results 1 to 3 of 3

Thread: KDE: 2 Konqueror vulnerabilities

  1. #1
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551

    KDE: 2 Konqueror vulnerabilities

    The KDE project has released two security advisories for the popular Konqueror web browser. The advisories cover a cross-site scripting vulnerability and secure cookie handling.
    KDE Security Advisory: Secure Cookie Vulnerability Original Release Date: 2002-09-08
    URL: http://www.kde.org/info/security/adv...20020908-1.txt

    0. References
    None.

    1. Systems affected:
    Konqueror in KDE 3.0, KDE 3.0.1 and KDE 3.0.2.
    KDE 2.2.2 and KDE 3.0.3 are NOT affected.

    2. Overview:
    Konqueror fails to detect the "secure" flag in HTTP cookies and as a result may send secure cookies back to the originating site over an unencrypted network connection.

    3. Impact:
    A secure session that relies solely on secure cookies for identifying the session can possibly be hijacked, or an account
    which relies solely on secure cookies for logging on may be compromised, by an attacker who manages to eavesdrop on the unencrypted network connection.

    4. Solution:
    Upgrade to KDE 3.0.3 in which this problem is fixed or apply the patch below.

    5. Patch:
    A patch for KDE 3.0, KDE 3.0.1 and KDE 3.0.2 is available from ftp://ftp.kde.org/pub/kde/security_patches :
    KDE Security Advisory: Konqueror Cross Site Scripting Vulnerability Original Release Date: 2002-09-08
    URL: http://www.kde.org/info/security/adv...20020908-2.txt

    0. References
    http://online.securityfocus.com/arch...3/2002-09-09/0

    1. Systems affected:

    KDE 2.2.2
    KDE 3.0 - 3.0.3

    2. Overview:

    Konqueror's cross Site scripting protection fails to initialize the domains on sub-(i)frames correctly. As a result, Javascript can access any foreign subframe which is defined in the HTML source.

    3. Impact:

    Users of Konqueror and other KDE software that uses the KHTML rendering engine may fall victim of a cookie stealing and other cross site scripting attacks.

    4. Solution:

    Apply the appended patch to kdelibs, update to the kdelibs-3.0.3a or, as a workaround, disable Javascript or cookies.

    kdelibs-3.0.3a can be downloaded from
    http://download.kde.org/stable/3.0.3 :

    02627f595af113f7d544561a7ff6ec85 kdelibs-3.0.3a.tar.bz2


    5. Patch:

    A patch for KDE 3.0.3 is available from

    ftp://ftp.kde.org/pub/kde/security_patches :

    523b2fb677310792cbb04861f358d08d post-3.0.3-kdelibs-khtml.diff

    A patch for KDE 2.2.2 is available from

    ftp://ftp.kde.org/pub/kde/security_patches :

    b0b23c3caa062c60375a1160418a2810 post-2.2.2-kdelibs-khtml.diff
    Do what you want with the girl, but leave me alone!

  2. #2
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,535
    thx for the warning..

    and now that we are on the subject of Konqueror, did you also get the strange colors in quotes on antionline (blue text on blue background).

    A simmilar thing happens on Internet Explorer 5 for MacOs X (green text on light green background)..

    I know this is already been posted in OOPS, A bug..
    And JP said something like: "Use Opera or Mozilla, nobody uses that crap anyway.)
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  3. #3
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Posts
    551
    Hmmmm.... I'm a Gnome man myself, so I do all my surfing with Galeon/Mozilla, but I'll compile KDE tonight and see what I get with Konqueror.
    Do what you want with the girl, but leave me alone!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •