SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   KDE Konqueror Vendors:   KDE.org
KDE Konqueror Java Bugs Let Remote Users Access Restricted Java Classes
SecurityTracker Alert ID:  1012631
SecurityTracker URL:  http://securitytracker.com/id/1012631
CVE Reference:   CVE-2004-1145   (Links to External Site)
Date:  Dec 20 2004
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 3.3.1 and prior versions
Description:   A vulnerability was reported in KDE Konqueror in the Java implementation. A remote user can bypass the Java sandbox security mechanism and can also gain access to certain restricted Java classes.

The vendor reported that a remote user can create JavaScript that, when loaded by the target user, will be able to bypass the Java sandbox security mechanisms and access restricted Java classes. Also, a remote user can create Java code that, when loaded by the target user, can access certain Java classes that it should not be able to access.

In both cases, the applet may be able to obtain elevated privileges to read and write files with the privileges of the target user.

The vendor was notified on November 24, 2004.

heise Security is credited with reporting this flaw.

A demonstration exploit check is available at:

http://www.heise.de/security/dienste/browsercheck/tests/java.shtml

Impact:   A remote user can access to restricted Java classes to potentially read and write files on the target system with the privileges of the target user.
Solution:   The vendor has issued a fixed version (3.3.2), available at:

http://www.kde.org/download/

Also, a patch is available for KDE 3.2.3:

ftp://ftp.kde.org/pub/kde/security_patches

7fc001d010c640738ed7d2fe347f002d post-3.2.3-kdelibs-khtml-java.tar.bz2

Vendor URL:  www.kde.org/info/security/advisory-20041220-1.txt (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 24 2004 (Mandrake Issues Fix) KDE Konqueror Java Bugs Let Remote Users Access Restricted Java Classes
Mandrake has released a fix.
Jan 12 2005 (Gentoo Issues Fix) KDE Konqueror Java Bugs Let Remote Users Access Restricted Java Classes
Gentoo has released a fix.
Feb 15 2005 (Red Hat Issues Fix) KDE Konqueror Java Bugs Let Remote Users Access Restricted Java Classes
Red Hat has released a fix.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC