CLA-2004:864

20040811 KDE Security Advisories: Temporary File and Konqueror Frame Injection Vulnerabilities

11978

http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/

200408-13

http://www.kde.org/info/security/advisory-20040811-3.txt

http-frame-spoof(1598)

oval:org.mitre.oval:def:11371

A class of bugs affecting many web browsers in the same way was discovered. A Secunia advisory reports :

The problem is that the browsers don't check if a target frame belongs to a website containing a malicious link, which therefore doesn't prevent one browser window from loading content in a named frame in another window.

Successful exploitation allows a malicious website to load arbitrary content in an arbitrary frame in another browser window owned by e.g.
a trusted site.

A KDE Security Advisory reports :

A malicious website could abuse Konqueror to insert its own frames into the page of an otherwise trusted website. As a result the user may unknowingly send confidential information intended for the trusted website to the malicious website.

Secunia has provided a demonstration of the vulnerability at http://secunia.com/multiple_browsers_frame_injection_vulnerability_tes t/.

New kdelibs and kdebase packages are available for Slackware 9.1, 10.0, and -current to fix security issues.

Daniel Fabian discovered a potential privacy issue in KDE. When creating a link to a remote file from various applications, including Konqueror, the resulting URL may contain the authentication credentials used to access that remote resource. This includes, but is not limited to, browsing SMB (Samba) shares. Upon further investigation, it was found that the SMB protocol handler also unnecessarily exposed authentication credentials (CVE-2004-1171).

Another vulnerability was discovered where a malicious website could abuse Konqueror to load its own content into a window or tab that was opened by a trusted website, or it could trick a trusted website into loading content into an existing window or tab. This could lead to the user being confused as to the origin of a particular webpage and could have the user unknowingly send confidential information intended for a trusted site to the malicious site (CVE-2004-1158).

The updated packages contain a patch from the KDE team to solve this issue.

Additionally, the kdelibs and kdebase packages for Mandrakelinux 10.1 contain numerous bugfixes. New qt3 packages are being provided for Mandrakelinux 10.0 that are required to build the kdebase package.

Updated kdelib and kdebase packages that resolve multiple security issues are now available.

The kdelibs packages include libraries for the K Desktop Environment.
The kdebase packages include core applications for the K Desktop Environment.

Andrew Tuitt reported that versions of KDE up to and including 3.2.3 create temporary directories with predictable names. A local attacker could prevent KDE applications from functioning correctly, or overwrite files owned by other users by creating malicious symlinks.
The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-0689 to this issue.

WESTPOINT internet reconnaissance services has discovered that the KDE web browser Konqueror allows websites to set cookies for certain country specific secondary top level domains. An attacker within one of the affected domains could construct a cookie which would be sent to all other websites within the domain leading to a session fixation attack. This issue does not affect popular domains such as .co.uk, .co.in, or .com. The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-0721 to this issue.

A frame injection spoofing vulnerability has been discovered in the Konqueror web browser. This issue could allow a malicious website to show arbitrary content in a named frame of a different browser window.
The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-0746 to this issue.

All users of KDE are advised to upgrade to these erratum packages, which contain backported patches from the KDE team for these issues.

The remote host is running one of the following package :

kdelibs < 3.2.3_3 kdebase < 3.2.3_1 7.50 <= linux-opera < 7.52 7.50 <= opera < 7.52 firefox < 0.9 linux-mozilla < 1.7 linux-mozilla-devel < 1.7 mozilla-gtk1 < 1.7 mozilla < 1.7,2 netscape7 < 7.2

These packages contain a bug which may allow an attacker to perform a frame injection. An attacker may exploit this flaw by setting up a rogue website which would insert its own frames in the pages of an otherwise trusted web site.

A number of vulnerabilities were discovered in KDE that are corrected with these update packages.

The integrity of symlinks used by KDE are not ensured and as a result can be abused by local attackers to create or truncate arbitrary files or to prevent KDE applications from functioning correctly (CVE-2004-0689).

The DCOPServer creates temporary files in an insecure manner. These temporary files are used for authentication-related purposes, so this could potentially allow a local attacker to compromise the account of any user running a KDE application (CVE-2004-0690). Note that only KDE 3.2.x is affected by this vulnerability.

The Konqueror web browser allows websites to load web pages into a frame of any other frame-based web page that the user may have open.
This could potentially allow a malicious website to make Konqueror insert its own frames into the page of an otherwise trusted website (CVE-2004-0721).

The Konqueror web browser also allows websites to set cookies for certain country-specific top-level domains. This can be done to make Konqueror send the cookies to all other web sites operating under the same domain, which can be abused to become part of a session fixation attack. All country-specific secondary top-level domains that use more than 2 characters in the secondary part of the domain name, and that use a secondary part other than com, net, mil, org, gove, edu, or int are affected (CVE-2004-0746).

The remote host is using a version of Mozilla that is vulnerable to cross-domain frame loading. It may allow an attacker to spoof the interface of a trusted web site. To exploit this vulnerability a victim will need to visit a web site operated by an attacker.

The remote host is missing an update to the system

The following package is affected: firefox This plugin has been deprecated since the advisory has been canceled.

ID	Name	Product	Family	Severity
56476	FreeBSD : Mutiple browser frame injection vulnerability (641859e8-eca1-11d8-b913-000c41e2cdad)	Nessus	FreeBSD Local Security Checks	high
18782	Slackware 10.0 / 9.1 / current : kde (SSA:2004-247-01)	Nessus	Slackware Local Security Checks	high
15981	Mandrake Linux Security Advisory : kdelibs (MDKSA-2004:150)	Nessus	Mandriva Local Security Checks	high
15427	RHEL 2.1 / 3 : kdelibs, kdebase (RHSA-2004:412)	Nessus	Red Hat Local Security Checks	high
14758	FreeBSD Ports : Multiple Browsers Frame Injection	Nessus	FreeBSD Local Security Checks	high
14335	Mandrake Linux Security Advisory : kdelibs/kdebase (MDKSA-2004:086)	Nessus	Mandriva Local Security Checks	high
1772	Mozilla Firefox < 1.7.1 Cross-Domain Frame Loading Vulnerability (deprecated)	Nessus Network Monitor	Web Clients	medium
14268	FreeBSD : Mutiple browser frame injection vulnerability (83) (deprecated)	Nessus	FreeBSD Local Security Checks	high
801228	Mozilla < 1.7.1 Cross-Domain Frame Loading Vulnerability	Log Correlation Engine	Web Clients	medium

CVE-2004-0721

HIGH

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

medium

high

medium