KDE Konqueror Flaw Lets Remote Users Spoof the Address Bar
SecurityTracker Alert ID: 1018579|
SecurityTracker URL: http://securitytracker.com/id/1018579
(Links to External Site)
Updated: Sep 14 2007|
Original Entry Date: Aug 16 2007
Modification of system information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 3.5.7 and prior versions|
A vulnerability was reported in KDE Konqueror. A remote user can spoof the address bar.|
A remote user can create a specially crafted URL that includes embedded white spaces within the user/password portion of the URL. When the URL is loaded by the target user, the address bar may appear as if the browser is on a different page.
A remote web site can cause the target user's address bar to appear as if the browser has navigated to a different page.
Some demonstration exploits are available at:
Robert Swiecki reported this vulnerability.
A remote user can spoof the address bar.|
The vendor has issued the following patches, available at:|
For 3.5.7 and newer:
For 3.4.2 and newer:
On September 14, 2007, the above listed patches were released as part of an updated advisory, issued to replace the original advisory.
The new KDE advisory is available at:
The original KDE advisory is available at:
Vendor URL: www.kde.org/info/security/advisory-20070914-1.txt (Links to External Site)
Access control error|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Thu, 16 Aug 2007 14:55:13 -0400|
Subject: KDE Konqueror
KDE Security Advisory: konqueror address bar spoofing
Original Release Date: 2007-08-16
1. Systems affected:
Konqueror as shipped with KDE up to including KDE 3.5.7.
The Konqueror address bar is vulnerable to spoofing attacks
that are based on embedding white spaces in the url. In addition
the address bar could be tricked to show an URL which it is
intending to visit for a short amount of time instead of the
Malicious web sites could spoof another website's URL. The
attack is limited to the address bar, it does not affect
additional security measures, like for example the SSL certificate
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
Patches for KDE 3.5.7 and newer is available from