Bug 129234

Summary: CAN-2004-0746 Konqueror Cross-Domain Cookie Injection
Product: [Fedora] Fedora Reporter: Josh Bressers <bressers>
Component: kdelibsAssignee: Than Ngo <than>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 2CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-09-09 12:45:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Proposed upstream patch post-3.0.5b-kdelibs-kcookiejar.patch
none
Proposed upstream patch post-3.1.5-kdelibs-kcookiejar.patch
none
Proposed upstream patch post-3.2.3-kdelibs-kcookiejar.patch none

Description Josh Bressers 2004-08-05 14:06:55 UTC 
1. Systems affected:

        All versions of KDE up to KDE 3.2.3 inclusive.


2. Overview:

        WESTPOINT internet reconnaissance services alerted the KDE
        security team that the KDE web browser Konqueror allows websites
        to set cookies for certain country specific secondary top
level domains.


3. Impact:

        Web sites operating under the affected domains can set HTTP
        cookies in such a way that the Konqueror web browser will send
them
        to all other web sites operating under the same domain.
        A malicious website can use this as part of a session fixation
        attack. See e.g. http://www.acros.si/papers/session_fixation.pdf

        Affected are all country specific secondary top level domains
that use more than 2 characters in the secondary part of the domain
name and that use a secondary part other than com, net, mil, org, gov,
       edu or int. Examples of affected domains are .ltd.uk, .plc.uk
and        .firm.in It should be noted that popular domains such as
.co.uk, .co.in and .com are NOT affected.



Embargoed until Aug 20

Should also affect FC1
Comment 1 Josh Bressers 2004-08-05 16:13:02 UTC 
Created attachment 102452 [details]
Proposed upstream patch

post-3.0.5b-kdelibs-kcookiejar.patch
Comment 2 Josh Bressers 2004-08-05 16:13:34 UTC 
Created attachment 102453 [details]
Proposed upstream patch

post-3.1.5-kdelibs-kcookiejar.patch
Comment 3 Josh Bressers 2004-08-05 16:14:07 UTC 
Created attachment 102454 [details]
Proposed upstream patch

post-3.2.3-kdelibs-kcookiejar.patch
Comment 4 Josh Bressers 2004-08-05 16:36:16 UTC 
I've updated the information for these three patches below.  I though
bugzilla would show the filename in the comment automagically.  Sorry
about that.
Comment 5 Josh Bressers 2004-08-23 14:06:41 UTC 
public, removing embargo.
Comment 6 Than Ngo 2004-08-31 19:52:37 UTC 
it's fixed in kdelibs-3.1.3-6.6 and kdebase-3.1.3-5.4
Comment 7 Than Ngo 2004-08-31 19:56:14 UTC 
Bressers, i'm building kdelibs/kdebase for fc1/fc2 update. Could i
push both out?
Comment 8 Mark J. Cox 2004-09-09 12:45:41 UTC 
http://www.redhat.com/archives/fedora-announce-list/2004-September/msg00010.html
http://www.redhat.com/archives/fedora-announce-list/2004-September/msg00011.html