Bug 961981 (CVE-2013-2074) - CVE-2013-2074 kdelibs: prints passwords contained in HTTP URLs in error messages
Summary: CVE-2013-2074 kdelibs: prints passwords contained in HTTP URLs in error messages
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2013-2074
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20130506,reported=2...
Depends On: 961982 962001
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-10 21:26 UTC by Vincent Danen
Modified: 2019-06-10 11:00 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 11:00:37 UTC


Attachments (Terms of Use)

Description Vincent Danen 2013-05-10 21:26:00 UTC
It was reported [1] that when KDE encounters an "internal server error" and also prints out the URL that caused the error that it would include the username and password (if supplied) to the resource that caused the error.  For instance, it would show "https://user:password@remotehost.com" or similar.  This is due to kioslave/http/http.cpp using m_request.url.url() rather than the sanitized m_request.url.prettyUrl().  This issue is fixed in git [2].

Note that this information is printed out to the local user actively using the computer.

[1] https://bugs.kde.org/show_bug.cgi?id=319428
[2] https://projects.kde.org/projects/kde/kdelibs/repository/revisions/65d736dab592bced4410ccfa4699de89f78c96ca/diff/kioslave/http/http.cpp

Comment 1 Vincent Danen 2013-05-10 21:27:11 UTC
Created kdelibs tracking bugs for this issue

Affects: fedora-all [bug 961982]

Comment 2 Vincent Danen 2013-05-10 22:16:12 UTC
This seems to go back as far as KDE3:

vdanen@cerberus:~/cvs-scratch/rhel/kdelibs/rhel-5.9/kdelibs-3.5.4/kioslave/http/ >% grep -n error http.cc|grep 'url.url'
2215:        error( ERR_DOES_NOT_EXIST, m_request.url.url() );
2220:        error( ERR_COULD_NOT_CONNECT, m_request.url.url() );
2894:              error(ERR_INTERNAL_SERVER, m_request.url.url());
2934:          error(ERR_DOES_NOT_EXIST, m_request.url.url());

Comment 4 Vincent Danen 2013-05-10 22:21:15 UTC
Created kdelibs3 tracking bugs for this issue

Affects: fedora-all [bug 962001]

Comment 5 Vincent Danen 2013-05-11 05:23:56 UTC
As per http://www.openwall.com/lists/oss-security/2013/05/11/2 this was assigned CVE-2013-2074.

Comment 6 Ngo Than 2013-05-13 16:25:28 UTC
the fix was already committed into fedora branch

Comment 7 Fedora Update System 2013-05-27 03:28:00 UTC
kdelibs3-3.5.10-53.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2013-05-29 00:55:23 UTC
kdelibs3-3.5.10-53.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2013-05-29 00:58:17 UTC
kdelibs3-3.5.10-53.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.