Using a malicious PAC file, and then using exfiltration methods in the PAC
function FindProxyForURL() enables the attacker to expose full https URLs.
This is a security issue since https URLs may contain sensitive
information in the URL authentication part (user:password@host), and in the
path and the query (e.g. access tokens).
This attack can be carried out remotely (over the LAN) since proxy settings
allow “Detect Proxy Configuration Automatically”.
This setting uses WPAD to retrieve the PAC file, and an attacker who has access
to the victim’s LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)
and inject his/her own malicious PAC instead of the legitimate one.
Created kdelibs tracking bugs for this issue:
Affects: fedora-all [bug 1427813]
Created kf5-kio tracking bugs for this issue:
Affects: epel-7 [bug 1427812]
Affects: fedora-all [bug 1427814]
kdelibs3-3.5.10-84.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
kdelibs3-3.5.10-84.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.