SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   KDE Konqueror Vendors:   KDE.org
(Turbolinux Issues Fix) Re: KDE Konqueror May Disclose URL-based Passwords to Remote Users Via the Referer Field
SecurityTracker Alert ID:  1007351
SecurityTracker URL:  http://securitytracker.com/id/1007351
CVE Reference:   CVE-2003-0459   (Links to External Site)
Date:  Jul 31 2003
Impact:   Disclosure of authentication information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.1.2 and prior versions
Description:   An information disclosure vulnerability was reported in the KDE Konqueror web browser. The browser may leak URL-based authentication information via the HTTP Referer field.

It is reported that the web browser may disclose the target user's authentication credentials for one web site to other web sites via the HTTP Referer header field. This can occur when the authentication credentials are provided via the URL (in the form 'http://user:password@host/').

The vendor indicates that Konqueror/Embedded is also vulnerable.

The following notification timeline is provided:

07/03/2003 Notification of security@kde.org by George Staikos
07/10/2003 Fixed in KDE CVS.
07/11/2003 OS vendors / binary package providers alerted and provided with patches.
07/29/2003 Public Security Advisory by the KDE Security team.

Impact:   A remote user may be able to obtain the target user's authentication credentials by monitoring the HTTP Referer field.
Solution:   Turbolinux has released a fix. Customers are requested to use the 'turbopkg' tool to apply the update.

<Turbolinux 8 Server>

Source Packages
Size : MD5

kdelibs-2.2.2-16.src.rpm
6024245 2fe288fce27a7a84c47eb22bb81b0b1e

Binary Packages
Size : MD5

arts-2.2.2-16.i586.rpm
822708 cf5417a4eeefb8903f2c9e2d81217be8
arts-devel-2.2.2-16.i586.rpm
71595 7dee59a8dbb5c9fbe06264dd13648ae2
kdelibs-2.2.2-16.i586.rpm
7815233 e12341a6ecad6a266af8c3b107ce78ad
kdelibs-devel-2.2.2-16.i586.rpm
2477357 37096b62bf62aea2a239dbbd57a500f7

<Turbolinux 8 Workstation>

Source Packages
Size : MD5

kdelibs-2.2.2-16.src.rpm
6024245 c35a6cfb84583fd69159c79e7018b61f

Binary Packages
Size : MD5

arts-2.2.2-16.i586.rpm
823892 e45d94e19dfa14b7be0a64603f8c6a75
arts-devel-2.2.2-16.i586.rpm
71625 42e2eafc27506a15fa4acad18e531c95
kdelibs-2.2.2-16.i586.rpm
7815317 53a6e2cafa1aeac26d520c2150377785
kdelibs-devel-2.2.2-16.i586.rpm
2477118 bc04c10ff9d216fc922d7bdbf17a5d6a

<Turbolinux 7 Server>

Source Packages
Size : MD5

kdelibs-2.2.2-16.src.rpm
6024245 c822b6ed0256d74987964d17317c150a

Binary Packages
Size : MD5

arts-2.2.2-16.i586.rpm
741313 e2358094f0e58bcf8ccb80d6498b122f
arts-devel-2.2.2-16.i586.rpm
70969 66e0fcd4ae3d9df9bc466b12fbf8901d
kdelibs-2.2.2-16.i586.rpm
7342876 0c815a1a31d4a3ec1c9abbf7ef115696
kdelibs-devel-2.2.2-16.i586.rpm
2476081 ea8a7058faa29c5057dc4ae7164b95e1

<Turbolinux 7 Workstation>

Source Packages
Size : MD5

kdelibs-2.2.2-16.src.rpm
6024245 f656c769d633587919c02e1b80b0fb45

Binary Packages
Size : MD5

arts-2.2.2-16.i586.rpm
741603 ae2a204bc28ccab1f3f8dea2665294a6
arts-devel-2.2.2-16.i586.rpm
70930 8a3886c8d9b68bd373e2ffecb80488fd
kdelibs-2.2.2-16.i586.rpm
7340395 f86635b55c16b6bd0dce415ab5aaabd4
kdelibs-devel-2.2.2-16.i586.rpm
2475995 deeb63aca039f55b1d4eb1e1b5cb3a6b

Vendor URL:  www.kde.org/info/security/advisory-20030729-1.txt (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Linux (Turbo Linux)
Underlying OS Comments:  Server and Workstation; 7 and 8

Message History:   This archive entry is a follow-up to the message listed below.
Jul 29 2003 KDE Konqueror May Disclose URL-based Passwords to Remote Users Via the Referer Field



 Source Message Contents

Subject:  [Full-Disclosure] [TURBOLINUX SECURITY INFO] 30/Jul/2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is an announcement only email list for the x86 architecture.
============================================================
Turbolinux Security Announcement 30/Jul/2003
============================================================

The following page contains the security information of Turbolinux Inc.

 - Turbolinux Security Center
   http://www.turbolinux.com/security/

 (1) kdelibs -> Konqueror Referer Leaking Website Authentication Credentials


===========================================================
* kdelibs -> Konqueror Referer Leaking Website Authentication Credentials
===========================================================

 More information :
    Kdelibs are main libraries for the K Desktop Environment.
    Konqueror may inadvertently send authentication credentials to
    websites other than the intended website in clear text via the HTTP-referer
    header when authentication credentials are passed as part of a URL in the
    form of http://user:password@host/

 Impact :
    Users of Konqueror may unknowingly distribute website
    authentication credentials to third parties with links on the password
    protected website. This may make it possible for those third parties to
    gain unauthorized access to the password protected website.

 Affected Products :
    - Turbolinux 8 Server
    - Turbolinux 8 Workstation
    - Turbolinux 7 Server
    - Turbolinux 7 Workstation

 Solution :
    Please use turbopkg tool to apply the update.


 <Turbolinux 8 Server>

   Source Packages
   Size : MD5

   kdelibs-2.2.2-16.src.rpm
      6024245 2fe288fce27a7a84c47eb22bb81b0b1e

   Binary Packages
   Size : MD5

   arts-2.2.2-16.i586.rpm
       822708 cf5417a4eeefb8903f2c9e2d81217be8
   arts-devel-2.2.2-16.i586.rpm
        71595 7dee59a8dbb5c9fbe06264dd13648ae2
   kdelibs-2.2.2-16.i586.rpm
      7815233 e12341a6ecad6a266af8c3b107ce78ad
   kdelibs-devel-2.2.2-16.i586.rpm
      2477357 37096b62bf62aea2a239dbbd57a500f7

 <Turbolinux 8 Workstation>

   Source Packages
   Size : MD5

   kdelibs-2.2.2-16.src.rpm
      6024245 c35a6cfb84583fd69159c79e7018b61f

   Binary Packages
   Size : MD5

   arts-2.2.2-16.i586.rpm
       823892 e45d94e19dfa14b7be0a64603f8c6a75
   arts-devel-2.2.2-16.i586.rpm
        71625 42e2eafc27506a15fa4acad18e531c95
   kdelibs-2.2.2-16.i586.rpm
      7815317 53a6e2cafa1aeac26d520c2150377785
   kdelibs-devel-2.2.2-16.i586.rpm
      2477118 bc04c10ff9d216fc922d7bdbf17a5d6a

 <Turbolinux 7 Server>

   Source Packages
   Size : MD5

   kdelibs-2.2.2-16.src.rpm
      6024245 c822b6ed0256d74987964d17317c150a

   Binary Packages
   Size : MD5

   arts-2.2.2-16.i586.rpm
       741313 e2358094f0e58bcf8ccb80d6498b122f
   arts-devel-2.2.2-16.i586.rpm
        70969 66e0fcd4ae3d9df9bc466b12fbf8901d
   kdelibs-2.2.2-16.i586.rpm
      7342876 0c815a1a31d4a3ec1c9abbf7ef115696
   kdelibs-devel-2.2.2-16.i586.rpm
      2476081 ea8a7058faa29c5057dc4ae7164b95e1

 <Turbolinux 7 Workstation>

   Source Packages
   Size : MD5

   kdelibs-2.2.2-16.src.rpm
      6024245 f656c769d633587919c02e1b80b0fb45

   Binary Packages
   Size : MD5

   arts-2.2.2-16.i586.rpm
       741603 ae2a204bc28ccab1f3f8dea2665294a6
   arts-devel-2.2.2-16.i586.rpm
        70930 8a3886c8d9b68bd373e2ffecb80488fd
   kdelibs-2.2.2-16.i586.rpm
      7340395 f86635b55c16b6bd0dce415ab5aaabd4
   kdelibs-devel-2.2.2-16.i586.rpm
      2475995 deeb63aca039f55b1d4eb1e1b5cb3a6b


 References :

 KDE Security Advisory
   http://www.kde.org/info/security/advisory-20030729-1.txt

 CVE
   [CAN-2003-0459]
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0459


 * You may need to update the turbopkg tool before applying the update.
Please refer to the following URL for detailed information.

  http://www.turbolinux.com/download/zabom.html
  http://www.turbolinux.com/download/zabomupdate.html

Package Update Path
http://www.turbolinux.com/update

============================================================
 * To obtain the public key

Here is the public key

 http://www.turbolinux.com/security/

 * To unsubscribe from the list

If you ever want to remove yourself from this mailing list,
  you can send a message to <server-users-e-ctl@turbolinux.co.jp> with
the word `unsubscribe' in the body (don't include the quotes).

unsubscribe

 * To change your email address

If you ever want to chage email address in this mailing list,
  you can send a message to <server-users-e-ctl@turbolinux.co.jp> with
the following command in the message body:

  chaddr 'old address' 'new address'

If you have any questions or problems, please contact
<supp_info@turbolinux.co.jp>

Thank you!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/J50gK0LzjOqIJMwRAl8gAJwPniCwx01K+jwZVAY200J7rGZDrACfQPiE
C9T2rB53j4HQ9JGra/DJJas=
=xVyo
-----END PGP SIGNATURE-----



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC