81019 2002-10-11 23:25 /57 rader/ Dirk Mueller <mueller@kde.org>
Importerad: 2002-10-11 23:25 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <1900>
Ärende: KDE Security Advisory: kpf Directory traversal
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
KDE Security Advisory: kpf Directory traversal
Original Release Date: 2002-10-08
URL: http://www.kde.org/info/security/advisory-20021008-2.txt
0. References
1. Systems affected:
kpf of any KDE release between KDE 3.0.1 and KDE 3.0.3a.
2. Overview:
kpf is a file sharing utility that can be docked into the
KDE kicker bar. It uses a subset of the HTTP protocol
internally and acts much similiar to a webserver.
A feature added in KDE 3.0.1 accidently allowed retrieving any
file, not limited to the configured shared directory, if it is
readable by the user kpf runs under.
3. Impact:
Files not stored in the shared directory were remotely
retrievable.
4. Solution:
The vulnerable feature has been removed.
Apply the patch listed in section 5 to kdenetwork/kpf, or
update to KDE 3.0.4.
kdenetwork-3.0.4 can be downloaded from
http://download.kde.org/stable/3.0.4 :
9f64e76cc6b922e1bf105099e3bf8205 kdenetwork-3.0.4.tar.bz2
5. Patch:
A patch for KDE 3.0.3 is available from
ftp://ftp.kde.org/pub/kde/security_patches :
2e8ddbb0d75cd63fd534ec001bb5a415
post-3.0.3-kdenetwork-kpf.diff
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9pD4NvsXr+iuy1UoRAsX7AKChfW49EmYsvodQ1LIvxuQoNsCpDACfale1
iC3TCzTlXxYWZIUdlSPC3tc=
=D/Lf
-----END PGP SIGNATURE-----
(81019) /Dirk Mueller <mueller@kde.org>/--(Ombruten)
81025 2002-10-12 19:29 /59 rader/ Ajay R Ramjatan <simpleguy@simpleguy.com>
Importerad: 2002-10-12 19:29 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <1905>
Ärende: Security hole in kpf - KDE personal fileserver.
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SECURITY ADVISORY
Author: Ajay R Ramjatan <simpleguy@simpleguy.com>
Date: 11 October 2002
Software: kpf - KDE Personal File Server (part of kdenetwork)
Vulnerable: kpf of any KDE release between KDE 3.0.1 and KDE 3.0.3a
Fixed: kpf from kdenetwork 3.0.4
INTRODUCTION kpf allows a user to run a small http server and easily
'share' a directory on a certain port. Using specially crafted URLs,
its possible to view content outside the specified root directory.
DESCRIPTION A few days ago, I used the kpf applet to quickly 'share'
a directory on my system for a friend. When testing with a browser, I
noticed that jpeg files had an icon next to them. Curiosity compelled
me to check the path of those icons. It turned out the icons were
being read from my own machine and their URL was in the form
http://127.0.0.1:8001/?icon=/usr/local/kde/share/icons/hicolor \
/32x32/mimetypes/image.png
Using ?icon=/ in the URL shown above causes kpf to display the
system's root directory, and going from there, its posible to read
any file which is readable by the user running kpf.
I immediately closed kpf and notified rikkus on
#kde-devel@Openprojects who acknowledged the hole and immediately
fixed it.
SOLUTION
The KDE advisory of the problem is here:
http://www.kde.org/info/security/advisory-20021008-2.txt
It includes locations of where to get updated packages and patches.
THANKS TO Rikkus @ OpenProjects for fixing the hole quickly.
Larry^Flynt @ DALnet. Without him asking me to 'share' some jpegs
with him, I would have never discovered that hole.
Ajay R Ramjatan
http://www.simpleguy.com
- -EOF
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE9pqZhajQ2fz6QGn8RAqqWAJ9hX09lucd8JJlZC2EaxAxbLpq+ZACgwT1L
oJ8F2zrpRAcoO3hLPHH+xH8=
=+g5X
-----END PGP SIGNATURE-----
(81025) /Ajay R Ramjatan <simpleguy@simpleguy.com>/(Ombruten)