---

Home Security

KDE Advisories: konqueror

By 
KDE Security Advisory: Secure Cookie Vulnerability
Original Release Date: 2002-09-08
URL: http://www.kde.org/info/security/advisory-20020908-1.txt

0. References
        None.

1. Systems affected:
        Konqueror in KDE 3.0, KDE 3.0.1 and KDE 3.0.2. 
        KDE 2.2.2 and KDE 3.0.3 are NOT affected.

2. Overview:
        Konqueror fails to detect the "secure" flag in HTTP cookies and as 
        a result may send secure cookies back to the originating site over 
        an unencrypted network connection. 
      
3. Impact:
        A secure session that relies solely on secure cookies for 
        identifying the session can possibly be hijacked, or an account 
        which relies solely on secure cookies for logging on may be 
        compromised, by an attacker who manages to eavesdrop on the 
        unencrypted network connection.

4. Solution:
        Upgrade to KDE 3.0.3 in which this problem is fixed or apply the
        patch below.

5. Patch:
        A patch for KDE 3.0, KDE 3.0.1 and KDE 3.0.2 is available from 
        ftp://ftp.kde.org/pub/kde/security_patches :

        1abff4a02381b5ca11273d02c6a5c6ca  post-3.0-kdelibs-kcookiejar.diff


__________________


KDE Security Advisory: Konqueror Cross Site Scripting Vulnerability 
Original Release Date: 2002-09-08
URL: http://www.kde.org/info/security/advisory-20020908-2.txt

0. References
        http://online.securityfocus.com/archive/1/290710/2002-09-03/2002-09-09/0

1. Systems affected:

        KDE 2.2.2
        KDE 3.0 - 3.0.3 

2. Overview:
            
        Konqueror's cross Site scripting protection fails to initialize the 
        domains on sub-(i)frames correctly. As a result, Javascript can 
        access any foreign subframe which is defined in the HTML source. 

3. Impact:
        
        Users of Konqueror and other KDE software that uses the KHTML 
        rendering engine may fall victim of a cookie stealing and 
        other cross site scripting attacks. 
   
4. Solution:
        
        Apply the appended patch to kdelibs, update to the kdelibs-3.0.3a or, 
        as a workaround, disable Javascript or cookies.     

        kdelibs-3.0.3a can be downloaded from 
        http://download.kde.org/stable/3.0.3 :

        02627f595af113f7d544561a7ff6ec85  kdelibs-3.0.3a.tar.bz/2
       

5. Patch:

        A patch for KDE 3.0.3 is available from
        
        ftp://ftp.kde.org/pub/kde/security_patches :
  
        523b2fb677310792cbb04861f358d08d  post-3.0.3-kdelibs-khtml.diff

        A patch for KDE 2.2.2 is available from
   
        ftp://ftp.kde.org/pub/kde/security_patches : 
 
        b0b23c3caa062c60375a1160418a2810  post-2.2.2-kdelibs-khtml.diff

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis

Must Read

LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.

Our Brands

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.