75233 2002-09-11 17:48 /43 rader/ Dirk Mueller <mueller@kde.org>
Importerad: 2002-09-11 17:48 av Brevbäraren
Extern mottagare: kde-announce@kde.org
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <1452>
Ärende: KDE Security Advisory: Secure Cookie Vulnerability
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
KDE Security Advisory: Secure Cookie Vulnerability
Original Release Date: 2002-09-08
URL: http://www.kde.org/info/security/advisory-20020908-1.txt
0. References
None.
1. Systems affected:
Konqueror in KDE 3.0, KDE 3.0.1 and KDE 3.0.2.
KDE 2.2.2 and KDE 3.0.3 are NOT affected.
2. Overview:
Konqueror fails to detect the "secure" flag in HTTP cookies and as
a result may send secure cookies back to the originating site over
an unencrypted network connection.
3. Impact:
A secure session that relies solely on secure cookies for
identifying the session can possibly be hijacked, or an account
which relies solely on secure cookies for logging on may be
compromised, by an attacker who manages to eavesdrop on the
unencrypted network connection.
4. Solution:
Upgrade to KDE 3.0.3 in which this problem is fixed or apply the
patch below.
5. Patch:
A patch for KDE 3.0, KDE 3.0.1 and KDE 3.0.2 is available from
ftp://ftp.kde.org/pub/kde/security_patches :
1abff4a02381b5ca11273d02c6a5c6ca
post-3.0-kdelibs-kcookiejar.diff
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9fldFvsXr+iuy1UoRAkfxAJ9tqM141Dx+7b8ZHlxUcU6uJIsJ0QCg5kXu
PFXLjBmWgER6vfvpYcOiLYM=
=UT1J
-----END PGP SIGNATURE-----
(75233) /Dirk Mueller <mueller@kde.org>/--(Ombruten)
75234 2002-09-11 17:51 /63 rader/ Dirk Mueller <mueller@kde.org>
Importerad: 2002-09-11 17:51 av Brevbäraren
Extern mottagare: kde-announce@kde.org
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <1453>
Ärende: KDE Security Advisory: Konqueror Cross Site Scripting Vulnerability
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
KDE Security Advisory: Konqueror Cross Site Scripting Vulnerability
Original Release Date: 2002-09-08
URL: http://www.kde.org/info/security/advisory-20020908-2.txt
0. References
http://online.securityfocus.com/archive/1/290710/2002-09-03/2002-09-09/0
1. Systems affected:
KDE 2.2.2
KDE 3.0 - 3.0.3
2. Overview:
Konqueror's cross Site scripting protection fails to
initialize the domains on sub-(i)frames correctly. As a
result, Javascript can access any foreign subframe which is
defined in the HTML source.
3. Impact:
Users of Konqueror and other KDE software that uses the KHTML
rendering engine may fall victim of a cookie stealing and
other cross site scripting attacks.
4. Solution:
Apply the appended patch to kdelibs, update to the
kdelibs-3.0.3a or, as a workaround, disable Javascript or
cookies.
kdelibs-3.0.3a can be downloaded from
http://download.kde.org/stable/3.0.3 :
02627f595af113f7d544561a7ff6ec85 kdelibs-3.0.3a.tar.bz2
5. Patch:
A patch for KDE 3.0.3 is available from
ftp://ftp.kde.org/pub/kde/security_patches :
523b2fb677310792cbb04861f358d08d
post-3.0.3-kdelibs-khtml.diff
A patch for KDE 2.2.2 is available from
ftp://ftp.kde.org/pub/kde/security_patches :
b0b23c3caa062c60375a1160418a2810
post-2.2.2-kdelibs-khtml.diff
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9fntPvsXr+iuy1UoRAiDrAKCIgT/f7UvBqXdgPVkGeFvNktSagQCgkUMw
lxtwL9WYkKyR7TcrK7yY36M=
=yQpt
-----END PGP SIGNATURE-----
(75234) /Dirk Mueller <mueller@kde.org>/--(Ombruten)