Bug 129234 - CAN-2004-0746 Konqueror Cross-Domain Cookie Injection
CAN-2004-0746 Konqueror Cross-Domain Cookie Injection
Product: Fedora
Classification: Fedora
Component: kdelibs (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Ngo Than
: Security
Depends On:
  Show dependency treegraph
Reported: 2004-08-05 10:06 EDT by Josh Bressers
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-09-09 08:45:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed upstream patch post-3.0.5b-kdelibs-kcookiejar.patch (6.27 KB, patch)
2004-08-05 12:13 EDT, Josh Bressers
no flags Details | Diff
Proposed upstream patch post-3.1.5-kdelibs-kcookiejar.patch (6.30 KB, patch)
2004-08-05 12:13 EDT, Josh Bressers
no flags Details | Diff
Proposed upstream patch post-3.2.3-kdelibs-kcookiejar.patch (6.15 KB, patch)
2004-08-05 12:14 EDT, Josh Bressers
no flags Details | Diff

  None (edit)
Description Josh Bressers 2004-08-05 10:06:55 EDT
1. Systems affected:

        All versions of KDE up to KDE 3.2.3 inclusive.

2. Overview:

        WESTPOINT internet reconnaissance services alerted the KDE
        security team that the KDE web browser Konqueror allows websites
        to set cookies for certain country specific secondary top
level domains.

3. Impact:

        Web sites operating under the affected domains can set HTTP
        cookies in such a way that the Konqueror web browser will send
        to all other web sites operating under the same domain.
        A malicious website can use this as part of a session fixation
        attack. See e.g. http://www.acros.si/papers/session_fixation.pdf

        Affected are all country specific secondary top level domains
that use more than 2 characters in the secondary part of the domain
name and that use a secondary part other than com, net, mil, org, gov,
       edu or int. Examples of affected domains are .ltd.uk, .plc.uk
and        .firm.in It should be noted that popular domains such as
.co.uk, .co.in and .com are NOT affected.

Embargoed until Aug 20

Should also affect FC1
Comment 1 Josh Bressers 2004-08-05 12:13:02 EDT
Created attachment 102452 [details]
Proposed upstream patch

Comment 2 Josh Bressers 2004-08-05 12:13:34 EDT
Created attachment 102453 [details]
Proposed upstream patch

Comment 3 Josh Bressers 2004-08-05 12:14:07 EDT
Created attachment 102454 [details]
Proposed upstream patch

Comment 4 Josh Bressers 2004-08-05 12:36:16 EDT
I've updated the information for these three patches below.  I though
bugzilla would show the filename in the comment automagically.  Sorry
about that.
Comment 5 Josh Bressers 2004-08-23 10:06:41 EDT
public, removing embargo.
Comment 6 Ngo Than 2004-08-31 15:52:37 EDT
it's fixed in kdelibs-3.1.3-6.6 and kdebase-3.1.3-5.4
Comment 7 Ngo Than 2004-08-31 15:56:14 EDT
Bressers, i'm building kdelibs/kdebase for fc1/fc2 update. Could i
push both out?

Note You need to log in before you can comment on or make changes to this bug.