Bug 129234 - CAN-2004-0746 Konqueror Cross-Domain Cookie Injection
Summary: CAN-2004-0746 Konqueror Cross-Domain Cookie Injection
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kdelibs
Version: 2
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Than Ngo
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-08-05 14:06 UTC by Josh Bressers
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2004-09-09 12:45:41 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
Proposed upstream patch post-3.0.5b-kdelibs-kcookiejar.patch (6.27 KB, patch)
2004-08-05 16:13 UTC, Josh Bressers
no flags Details | Diff
Proposed upstream patch post-3.1.5-kdelibs-kcookiejar.patch (6.30 KB, patch)
2004-08-05 16:13 UTC, Josh Bressers
no flags Details | Diff
Proposed upstream patch post-3.2.3-kdelibs-kcookiejar.patch (6.15 KB, patch)
2004-08-05 16:14 UTC, Josh Bressers
no flags Details | Diff

Description Josh Bressers 2004-08-05 14:06:55 UTC
1. Systems affected:

        All versions of KDE up to KDE 3.2.3 inclusive.


2. Overview:

        WESTPOINT internet reconnaissance services alerted the KDE
        security team that the KDE web browser Konqueror allows websites
        to set cookies for certain country specific secondary top
level domains.


3. Impact:

        Web sites operating under the affected domains can set HTTP
        cookies in such a way that the Konqueror web browser will send
them
        to all other web sites operating under the same domain.
        A malicious website can use this as part of a session fixation
        attack. See e.g. http://www.acros.si/papers/session_fixation.pdf

        Affected are all country specific secondary top level domains
that use more than 2 characters in the secondary part of the domain
name and that use a secondary part other than com, net, mil, org, gov,
       edu or int. Examples of affected domains are .ltd.uk, .plc.uk
and        .firm.in It should be noted that popular domains such as
.co.uk, .co.in and .com are NOT affected.



Embargoed until Aug 20

Should also affect FC1

Comment 1 Josh Bressers 2004-08-05 16:13:02 UTC
Created attachment 102452 [details]
Proposed upstream patch

post-3.0.5b-kdelibs-kcookiejar.patch

Comment 2 Josh Bressers 2004-08-05 16:13:34 UTC
Created attachment 102453 [details]
Proposed upstream patch

post-3.1.5-kdelibs-kcookiejar.patch

Comment 3 Josh Bressers 2004-08-05 16:14:07 UTC
Created attachment 102454 [details]
Proposed upstream patch

post-3.2.3-kdelibs-kcookiejar.patch

Comment 4 Josh Bressers 2004-08-05 16:36:16 UTC
I've updated the information for these three patches below.  I though
bugzilla would show the filename in the comment automagically.  Sorry
about that.

Comment 5 Josh Bressers 2004-08-23 14:06:41 UTC
public, removing embargo.

Comment 6 Than Ngo 2004-08-31 19:52:37 UTC
it's fixed in kdelibs-3.1.3-6.6 and kdebase-3.1.3-5.4

Comment 7 Than Ngo 2004-08-31 19:56:14 UTC
Bressers, i'm building kdelibs/kdebase for fc1/fc2 update. Could i
push both out?


Note You need to log in before you can comment on or make changes to this bug.