KDE Konqueror Referer Authentication Credentials Disclosure

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
squeen
Moderator
Moderator
Posts: 2933
Joined: Fri May 09, 2003 6:10 am
Location: Maryland, USA

KDE Konqueror Referer Authentication Credentials Disclosure

Unread postby squeen » Mon Aug 11, 2003 3:34 pm

Since Konqueror 3.0.5a seems to be running fine under IRIX, this is worth noting:

Description
-------------------------------------------------------------------------------------
The Konqueror web browser included with KDE versions prior to 3.1.3 sends authentication credentials in plaintext through the HTTP-referer header. An attacker who can sniff network traffic can collect such credentials to gain access to password-protected sites.

Warning Indicators
-------------------------------------------------------------------------------------
Systems running KDE versions prior to 3.1.3 are vulnerable.

Patches/Software
-------------------------------------------------------------------------------------
KDE 2.2.2 and 3.0.x users are advised to upgrade to KDE 3.1.3. For users who are unable to upgrade, patches are available at the following direct-download FTP link: ["http://devel-home.kde.org/~hausmann/snapshots/konqueror-embedded-snapshot-20030705.tar.gz">KDE]. Users are advised to upgrade Konqueror Embedded to a snapshot dated July 5, 2003, or later, available at the following direct-download link: ["http://devel-home.kde.org/~hausmann/snapshots/konqueror-embedded-snapshot-20030705.tar.gz">Konqueror Embedded]


I haven't tried to patch it yet.

User avatar
whiter
Posts: 975
Joined: Tue Apr 29, 2003 2:02 pm
Location: Melbourne, Australia
Contact:

Unread postby whiter » Tue Aug 12, 2003 11:08 am

Work is in progress on porting KDE 3.1.3 to IRIX. Hopefully it goes a bit fast. Luckily I don't stand alone in 'the fight' ;-)
Shall I describe it to you? Or do you want me to get you a box?


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 2 guests