SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Browser)  >  KDE Konqueror Vendors:  KDE.org
KDE Konqueror 'data:' URL Display Bug Lets Remote Users Spoof the Address Bar
SecurityTracker Alert ID:  1018396
SecurityTracker URL:  http://securitytracker.com/id?1018396
CVE Reference:  CVE-2007-3820   (Links to External Site)
Updated:  Jul 17 2007
Original Entry Date:  Jul 16 2007
Impact:  Modification of user information
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 3.5.7
Description:  A vulnerability was reported in KDE Konqueror. A remote user can spoof the URL address bar.

The browser does not properly display the contents of the URL bar when rendering 'data:' URLs. A remote user can create specially crafted HTML that, when loaded by the target user, will redirect the browser to a web page that will display an arbitrary URL in the address bar.

Robert Swiecki reported this vulnerability.
Impact:  A remote user can spoof the URL address bar contents.
Solution:  The vendor has issued a fix, available from the source code repository.
Vendor URL:  www.kde.org/ (Links to External Site)
Cause:  State error
Underlying OS:  Linux (Any)
Reported By:  Robert Swiecki <jagger@swiecki.net>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Aug 16 2007 (KDE Issues Patches) KDE Konqueror 'data:' URL Display Bug Lets Remote Users Spoof the Address Bar
The vendor has issued patches for KDE 3.5.7.


 Source Message Contents
Date:  Sat, 14 Jul 2007 01:50:49 +0200
From:  Robert Swiecki <jagger@swiecki.net>
Subject:  Opera/Konqueror: data: URL scheme address bar spoofing

 
With a specially crafted web page, an attacker can redirect
a www browser to the page, which URL (in the url bar) resembles
an arbitrary domain choosen by the attacker.

It's possible due to the fact, that some web browsers incorrectly
display contents of the url bar while rendering pages based on the
'data:' URL scheme (RFC 2397). Only the ending of the URL is
displayed. Padding the URL with whitespaces allows an attacker to
insert an arbitrary content into the browser url bar.

http://alt.swiecki.net/oper1.html

Tested with:
 * Opera 9.21 on Win 2003SE and Win XPSP2
 * Opera 9.21 on Linux
 * Konqueror 3.5.7 on Linux

Pictures taken on my systems (using 1024x768 dekstop resolution)
http://alt.swiecki.net/operalin.png
http://alt.swiecki.net/operawin.png
http://alt.swiecki.net/konq.png

Successfull attack depends on the proper construction of the
'data:' URL. An algorithm could utilize JS
document.body.clientWidth/Height properties to calculate the
best url padding for the given browser.

PS. Sometimes Opera web browser displays the beggining of
the 'data:' URL (correct behaviour), e.g. during
browser startup with immediate redirect to the last visited page.

-- 
Robert Swiecki


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC