Bug 532428

Summary: kdelibs: unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015)
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, jgrulich, jreznik, kevin, rdieter, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-21 22:45:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 532021    

Description Tomas Hoger 2009-11-02 10:12:52 UTC 
Multiple issues were reported as part of oCERT-2009-015:

  http://www.ocert.org/advisories/ocert-2009-015.html

This bug is for tracking a problem in XMLHttpRequest.  Implementation of this feature in kdeblibs / khtml did not restrict protocol types that can be used with XMLHttpRequest, allowing malicious JavaScript to access local disk files using file:// URL type.

This problem only occurred when malicious file was opened in null domain, i.e. when opened from disk or Ark's preview mentioned in the oCERT advisory.  Same origin policy blocks exploitation of this problem when malicious html file is opened from a remote host.

Upstream fix, restricting list of URL types allowed for XMLHttpRequest to http(s) and webdav:

  http://websvn.kde.org/?view=revision&revision=1035539

3.x backport:

  http://www.davidfaure.fr/2009/xmlhttprequest_3.x.diff
Comment 1 Tomas Hoger 2009-11-02 10:33:02 UTC 
Note: This fix does not seem to mitigate all risks of malicious JavaScript in local files, as access to arbitrary remote URLs still seems to be allowed.
Comment 5 Lukáš Tinkl 2009-11-02 14:29:54 UTC 
I'll prepare and commit patches for Fedora, as a start.
Comment 8 Tomas Hoger 2010-04-27 13:14:51 UTC 
Upstream bug report to track the issue mentioned in comment #1:
  https://bugs.kde.org/show_bug.cgi?id=235468
Comment 10 Kevin Kofler 2011-10-05 08:54:49 UTC 
Oh fun, a 2009 security issue being dug up from under the drawer?

I guess we should apply that xmlhttprequest_3.x.diff to our kdelibs3 packages.
Comment 11 Tomas Hoger 2011-10-05 10:03:29 UTC 
That fix still is only partial, the important missing part is not allowing remote access (see bug in comment #8).  For posterity, firefox currently allows local html file to XHR other local files in the same directory, or subdirectories, while webkit based browsers do not allow that (as current kdelibs).