FreeBSD : KDE -- multiple vulnerabilities (6f358f5a-c7ea-11de-a9f3-0030843d3802)

This script is Copyright (C) 2009-2015 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

oCERT reports :

Ark input sanitization errors: The KDE archiving tool, Ark, performs
insufficient validation which leads to specially crafted archive
files, using unknown MIME types, to be rendered using a KHTML
instance, this can trigger uncontrolled XMLHTTPRequests to remote
sites.

IO Slaves input sanitization errors: KDE protocol handlers perform
insufficient input validation, an attacker can craft malicious URI
that would trigger JavaScript execution. Additionally the 'help://'
protocol handler suffer from directory traversal. It should be noted
that the scope of this issue is limited as the malicious URIs cannot
be embedded in Internet hosted content.

KMail input sanitization errors: The KDE mail client, KMail, performs
insufficient validation which leads to specially crafted email
attachments, using unknown MIME types, to be rendered using a KHTML
instance, this can trigger uncontrolled XMLHTTPRequests to remote
sites.

The exploitation of these vulnerabilities is unlikely according to
Portcullis and KDE but the execution of active content is nonetheless
unexpected and might pose a threat.

See also :

http://www.ocert.org/advisories/ocert-2009-015.html
http://www.nessus.org/u?b1576fa0

Solution :

Update the affected packages.

Risk factor :

High

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 42342 (freebsd_pkg_6f358f5ac7ea11dea9f30030843d3802.nasl)

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now