KDE Konqueror Browser May Disclose Secure Cookies Via the Network Over Non-Secure Connections
SecurityTracker Alert ID: 1005213|
SecurityTracker URL: http://securitytracker.com/id/1005213
(Links to External Site)
Date: Sep 11 2002
Disclosure of authentication information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): Konqueror in KDE 3.0, KDE 3.0.1 and KDE 3.0.2.|
An information disclosure vulnerability was reported in certain versions of KDE Konqueror. The browser may send a secure cookie over a non-secure connection.|
It is reported that Konqueror fails to detect the "secure" flag in HTTP cookies. As a result, the browser may send secure cookies back to the originating site over an unencrypted network connection.
It is reported that KDE 2.2.2 and KDE 3.0.3 are not affected.
The browser may send secure cookies over a non-secure session.|
The vendor has released a fixed version of KDE (3.0.3), available at:|
The vendor has also released a patch for KDE 3.0, KDE 3.0.1 and KDE 3.0.2, available at:
Vendor URL: www.kde.org/info/security/advisory-20020908-1.txt (Links to External Site)
Access control error, State error|
Linux (Any), UNIX (Any)|
Source Message Contents
Date: Wed, 11 Sep 2002 01:11:03 +0200|
Subject: KDE Security Advisory: Secure Cookie Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
KDE Security Advisory: Secure Cookie Vulnerability
Original Release Date: 2002-09-08
1. Systems affected:
Konqueror in KDE 3.0, KDE 3.0.1 and KDE 3.0.2.
KDE 2.2.2 and KDE 3.0.3 are NOT affected.
Konqueror fails to detect the "secure" flag in HTTP cookies and as
a result may send secure cookies back to the originating site over
an unencrypted network connection.
A secure session that relies solely on secure cookies for
identifying the session can possibly be hijacked, or an account
which relies solely on secure cookies for logging on may be
compromised, by an attacker who manages to eavesdrop on the
unencrypted network connection.
Upgrade to KDE 3.0.3 in which this problem is fixed or apply the
A patch for KDE 3.0, KDE 3.0.1 and KDE 3.0.2 is available from
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
-----END PGP SIGNATURE-----