129234 – CAN-2004-0746 Konqueror Cross-Domain Cookie Injection

Bug 129234 - CAN-2004-0746 Konqueror Cross-Domain Cookie Injection

Summary: CAN-2004-0746 Konqueror Cross-Domain Cookie Injection

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kdelibs
Sub Component:
Version:	2
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Than Ngo
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-08-05 14:06 UTC by Josh Bressers
Modified:	2007-11-30 22:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2004-09-09 12:45:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Proposed upstream patch post-3.0.5b-kdelibs-kcookiejar.patch (6.27 KB, patch) 2004-08-05 16:13 UTC, Josh Bressers	no flags	Details \| Diff
Proposed upstream patch post-3.1.5-kdelibs-kcookiejar.patch (6.30 KB, patch) 2004-08-05 16:13 UTC, Josh Bressers	no flags	Details \| Diff
Proposed upstream patch post-3.2.3-kdelibs-kcookiejar.patch (6.15 KB, patch) 2004-08-05 16:14 UTC, Josh Bressers	no flags	Details \| Diff
View All

Description Josh Bressers 2004-08-05 14:06:55 UTC

1. Systems affected:

        All versions of KDE up to KDE 3.2.3 inclusive.


2. Overview:

        WESTPOINT internet reconnaissance services alerted the KDE
        security team that the KDE web browser Konqueror allows websites
        to set cookies for certain country specific secondary top
level domains.


3. Impact:

        Web sites operating under the affected domains can set HTTP
        cookies in such a way that the Konqueror web browser will send
them
        to all other web sites operating under the same domain.
        A malicious website can use this as part of a session fixation
        attack. See e.g. http://www.acros.si/papers/session_fixation.pdf

        Affected are all country specific secondary top level domains
that use more than 2 characters in the secondary part of the domain
name and that use a secondary part other than com, net, mil, org, gov,
       edu or int. Examples of affected domains are .ltd.uk, .plc.uk
and        .firm.in It should be noted that popular domains such as
.co.uk, .co.in and .com are NOT affected.



Embargoed until Aug 20

Should also affect FC1

Comment 1 Josh Bressers 2004-08-05 16:13:02 UTC

Created attachment 102452 [details]
Proposed upstream patch

post-3.0.5b-kdelibs-kcookiejar.patch

Comment 2 Josh Bressers 2004-08-05 16:13:34 UTC

Created attachment 102453 [details]
Proposed upstream patch

post-3.1.5-kdelibs-kcookiejar.patch

Comment 3 Josh Bressers 2004-08-05 16:14:07 UTC

Created attachment 102454 [details]
Proposed upstream patch

post-3.2.3-kdelibs-kcookiejar.patch

Comment 4 Josh Bressers 2004-08-05 16:36:16 UTC

I've updated the information for these three patches below.  I though
bugzilla would show the filename in the comment automagically.  Sorry
about that.

Comment 5 Josh Bressers 2004-08-23 14:06:41 UTC

public, removing embargo.

Comment 6 Than Ngo 2004-08-31 19:52:37 UTC

it's fixed in kdelibs-3.1.3-6.6 and kdebase-3.1.3-5.4

Comment 7 Than Ngo 2004-08-31 19:56:14 UTC

Bressers, i'm building kdelibs/kdebase for fc1/fc2 update. Could i
push both out?

Comment 8 Mark J. Cox 2004-09-09 12:45:41 UTC

http://www.redhat.com/archives/fedora-announce-list/2004-September/msg00010.html
http://www.redhat.com/archives/fedora-announce-list/2004-September/msg00011.html

Note You need to log in before you can comment on or make changes to this bug.