It was reported [1] that when KDE encounters an "internal server error" and also prints out the URL that caused the error that it would include the username and password (if supplied) to the resource that caused the error. For instance, it would show "https://user:password@remotehost.com" or similar. This is due to kioslave/http/http.cpp using m_request.url.url() rather than the sanitized m_request.url.prettyUrl(). This issue is fixed in git [2]. Note that this information is printed out to the local user actively using the computer. [1] https://bugs.kde.org/show_bug.cgi?id=319428 [2] https://projects.kde.org/projects/kde/kdelibs/repository/revisions/65d736dab592bced4410ccfa4699de89f78c96ca/diff/kioslave/http/http.cpp
Created kdelibs tracking bugs for this issue Affects: fedora-all [bug 961982]
This seems to go back as far as KDE3: vdanen@cerberus:~/cvs-scratch/rhel/kdelibs/rhel-5.9/kdelibs-3.5.4/kioslave/http/ >% grep -n error http.cc|grep 'url.url' 2215: error( ERR_DOES_NOT_EXIST, m_request.url.url() ); 2220: error( ERR_COULD_NOT_CONNECT, m_request.url.url() ); 2894: error(ERR_INTERNAL_SERVER, m_request.url.url()); 2934: error(ERR_DOES_NOT_EXIST, m_request.url.url());
Created kdelibs3 tracking bugs for this issue Affects: fedora-all [bug 962001]
As per http://www.openwall.com/lists/oss-security/2013/05/11/2 this was assigned CVE-2013-2074.
the fix was already committed into fedora branch
kdelibs3-3.5.10-53.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
kdelibs3-3.5.10-53.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
kdelibs3-3.5.10-53.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.