BugTraq
Medium severity flaw in Konqueror Apr 11 2011 09:07PM
Tim Brown (timb nth-dimension org uk) (1 replies)
I was recently taking a look at Konquerer and spotted an example of universal
XSS. Essentially, the error page displayed when a requested URL is not
available includes said URL. If said URL includes HTML fragments these will
be rendered. CVE-2010-2952 has been assigned to this issue.

Tim
--
Tim Brown
<mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
<http://www.nth-dimension.org.uk/>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nth Dimension Security Advisory (NDSA20110321)
Date: 21st March 2011
Author: Tim Brown <mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: Konqueror 4.4.x, 4.5.x, 4.6.x <http://konqueror.kde.org/>
Vendor: KDE <http://www.kde.org/>
Risk: Medium

Summary

The Konqueror web browser is vulnerable to HTML injection into the error
pages that are displayed when it fails to fetch the requested URL. This
could allow an arbitrary web site to be spoofed.

After discussions with the vendor, CVE-2011-1168 was assigned to this
vulnerability.

Technical Details

Konqueror 4.4.x, 4.5.x and 4.6.x are affected by HTML injection which allows
an arbitrary URL to be spoofed. Opening a fresh instance of Konqueror and
entering the following URL causes the error page HTML to become corrupted:

http://thisdomainwillnotresolveandrekonqerrorpagewillbeshownwithfullurle
mbedded.twitter.com/"><h1>Test</h1>

Since Konqueror fails to resolve the hostname it will then will display an
error message containing the requested URL including the HTML tags.

It is worth noting that Javascript execution does not appear to be possible
in the context of the unresolvable hostname for two reasons. Firstly
Konqueror disables Javascript within KHTMLPart::htmlError() (between the
calls to begin() and end() and secondly because the code executes in an
empty domain preventing the cookies for the spoofed URL from being accessed.
Whilst the first of these restrictions could be bypassed in a number of
ways (see below), no method has currently been identified to bypass the
latter to break Konqueror's same origin policy.

It was identified that the first restriction could be bypassed at least two
ways. Firstly a link can be injected with a URL in the form javascript:...
and secondly an iframe can be injected with a source URL in the form
data:text/html,... In the first case, Konqueror only interprets the link
at the point of clicking (after Javascript has been reenabled) whilst in
the latter, Konqueror does not disable Javascript during the parsing of the
source for this iframe (i.e. between the calls to begin() and end()).

The following URL demonstrates how HTML can be injected which both takes
control of the entire visible DOM by overriding the error page styles
for an arbitrary "secure" URL and then allows Javascript to be executed
in the victims browser:

https://secure.twitter.com/</title></head><body><style>body{margin: 10px 0; background:#C0DEED url(http://si0.twimg.com/sticky/error_pages/bg-clouds.png) repeat-x; color:%23333; font: 12px Lucida Grande, Arial, sans-serif; text-align:center};%23box {display: none}</style></div><br/><br/><br/><br/><br/><br/><br/><br/><br/><iframe width=25%25 height=180 frameBorder=0 src='data:text/html,<body style="background-color:transparent"><img src=http://si0.twimg.com/sticky/error_pages/twitter_logo_header.png><a><
form><p>Username: <input type=text></p><p>Password: <input type=password></p><input type=submit value=Login></form><script>alert(1)</script></body>'><div id="box">

Solutions

Nth Dimension recommends that the vendor supplied patches should be applied.

History

On 16th March 2011, Nth Dimension contacted the KDE security team to
report the described vulnerability.

On 17th March 2011, Harri Porten of KDE confirmed that he had recieved
the report and it had been escalated to Maksim Orlovich, a KDE developer
working on KHTML to determine the impact.

Nth Dimension worked with the Maksim to evaluate the full extent
of the problem, particulary in relation to the bypass of the Javascript
restriction as any same origin policy implications and an interim patch
was produced.

On 18th March 2011, Nth Dimension contacted Josh Bressers on behalf of
the KDE security team to request a CVE for this vulnerability which was
duely assigned.

Following the assigment of a CVE for this issue, Nth Dimension and KDE
liased to establish a date for final publication of the advisory and
patches.

Current

As of the 23rd March 2011, the state of the vulnerabilities is believed to
be as follows. A patch has been developed which it is believed successfully
mitigates the final symptoms of this vulnerability. This patch has been
ported to 4.4.x, 4.5.x and 4.6.x branches of KDE and will be made available
to distributions in due course.

Thanks

Nth Dimension would like to thank Maksim Orlovich and Jeff Mitchell of KDE
and Josh Bressers of Redhat for the way they worked to resolve the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJNiUQHAAoJEPJhpTVyySo7fmgP/Ak3XF7fMSjoJ+tJTb2ZwAl3
/6L94CTaDVS4GFhCwYjSQXajmPpUcEfkRYRyScg1ABrIDt1301s+tuA4CrR540k3
8eTPBSi/brbg+zsQHJZaubBanxOPV3gnZR9jBlTD3+1N1g7PZj1x3A97ijEcVDV+
wbWVVu2CAxrLAkpZMLebqztssPrLV87Q90JBPehJorKEx+kKVkPzyh1X/XoQC9Er
4YLxlhc8NScATNqAci2r54mMbXKqmsXvRLA23rw299y/B1Qd0fkRtY/X72Wguedh
O97X/aAvojJw61BQ/rzsq0otnjGQfYQUtRNAdhdoQ0Eh+v3mlea/3PFugXMjyxTr
qNO5blYvoeJ409XpmzOXgpk5j8gfUPiOkVFcU0AgMa2e600tZjJ76BpNfmiq3m+e
g94vHYLvu1koG7ZzuZIQHfbtK8WUfM8W+bXpkRqmsxH0a5AOYqTjbJtWdskIipvp
gUhfQmpCazqkK7ym4IWe44N1mMx2EJX3gWXtw/LETk+S5QX+DdJOUI1igIbJVZT6
BpqGG6tVFdPyus8X6AjP+GyhgvZSnziiXqha6D9kvWusVCzYVsP9+56wvWSDIgCn
dZM5eSJphEYVaEaX86tpulYOXyxLAjrYrldghX0AEcDmFk9d8qwfXG4N4xcOkSO5
rGKhyY/jLYu1iU4szvI3
=nbIX
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAABCAAGBQJNo22NAAoJEPJhpTVyySo7z8wP/iSZrDbA00ep6FGyoxkd7s1u
wJgAvRh2LmjTV1ZtMZjZ0Hp6mvXCAbg7gYsxbvl0U8bYTMV/incFicIgGMhzDcGY
5XK6SYfJTFAmswJvlbjv/tJxW65UVoBn9CL7phPoG/L5wIUVQfZZmpcAi7Loum18
XKq13W6OtmUX/2pMsq6PNFZNVJFI59Zz/yYV4H61jPZa7Z3u9t3y4YLMnY2z2unn
BMMmL9Uc9MGQAX3exf3SogDXs7p87nwO6Nr6OlDOjkzGJ0CrhKc81RWq58ULAh32
vsjDN1xXnoSZlVBgviYWiCTdvGxWGvN168/rOSX+CCn4qMIs6qiJX5VhyxxUw4TE
9mrT65Hqs/PAot+Y8jdSuVS5Lz+xUQwWNJESe6f0bbUjCXyWqXi+YAcWXqln0Cw/
V8eQz0yvY54RGVS6u2t/EObJRVzk4sisBDiUNQHWN1wPi2OF2SdouGquidhwJiCD
hug89/AfJJhI7b98O2OFmIaDs0+u5xhVA511FDc5nTw5F/rZDasXThc3t9trte3y
u9BcXlxXebJM1gGWaCzufE3htOJbMnxdmrUy+q7NxwJvSsLNfMHK0wg0VSHb9Aqh
9KM9m4ungQ0kLJg4EEY/BGmZ/PCPCVXkJbo8XPdCFyWfTkJp48SJ6jc5S6g8/nfj
oDjjTNd+/bCaincCrNh7
=nxS/
-----END PGP SIGNATURE-----

[ reply ]
Re: [Full-disclosure] Medium severity flaw in Konqueror Apr 12 2011 02:36AM
Vincent Danen (vdanen redhat com)


 

Privacy Statement
Copyright 2010, SecurityFocus