Bugzilla – Bug 64194
VUL-0: CVE-2004-1158: KDE Security Advisory: Konqueror Window Injection Vulnerability
Last modified: 2021-10-04 10:26:16 UTC
We received the following report via vendor-sec. The issue is public. Date: Mon, 13 Dec 2004 17:35:00 +0100 From: Waldo Bastian <bastian@kde.org> To: kde-packager@kde.org, vendor-sec@lst.de Cc: security@kde.org Subject: [vendor-sec] KDE Security Advisory: Konqueror Window Injection Vulnerability KDE Security Advisory: Konqueror Window Injection Vulnerability Original Release Date: 2004-12-13 URL: http://www.kde.org/info/security/advisory-20041213-1.txt 0. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1158 http://secunia.com/advisories/13254/ http://secunia.com/secunia_research/2004-13/advisory http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ http://bugs.kde.org/show_bug.cgi?id=94812 http://www.kde.org/info/security/advisory-20040811-3.txt 1. Systems affected: All versions of KDE up to KDE 3.3.2 inclusive. 2. Overview: The Konqueror webbrowser allows websites to load webpages into a window or tab currently used by another website. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1158 to this issue. This vulnerability is similar to the Konqueror Frame Injection Vulnerability reported on 2004-08-11 but the solution offered as part of that advisory did not cover the window case. 3. Impact: A malicious website could abuse Konquer to load its own content into a window or tab that was opened by a trusted website or it could trick a trusted website into loading content into an existing window or tab. This may be abused to confuse the user about the origin of a certain webpage. As a result the user may unknowingly send confidential information intended for the trusted website to the malicious website. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patches for KDE 3.2.3 are available from ftp://ftp.kde.org/pub/kde/security_patches : 4d61d568e822d781308caa73050930bd post-3.2.3-kdelibs-htmlframes2.patch 7340cfd22ee46a6d65e001179c082b08 post-3.2.3-kdebase-htmlframes2.patch Patches for KDE 3.3.2 are available from ftp://ftp.kde.org/pub/kde/security_patches : d2e513a039ba44becf5728b983b78fc4 post-3.3.2-kdelibs-htmlframes2.patch 31688394bea2dd685371d9d3da9ec2ab post-3.3.2-kdebase-htmlframes2.patch 6. Time line and credits: 19/11/2004 security@kde.org contacted by Secunia 08/12/2004 Advisory & test case publishd by Secunia 11/12/2004 Konqueror patches posted for review 13/12/2004 KDE Advisory released
ping? will we release updates for this?
Yes, we will. There are two other problems pending to be fixed: liveconnect and smb passwords. Problem is our KDE security master is already on vacation and I'm half way there and have little time this week.
packages and patchinfos are submitted.
packages approved
CVE-2004-1158: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)