Konqueror Cross Site Scripting Vulnerability

    By: Dirk Mueller
    2002
    11
    Sep
    Konqueror

    The KDE Project released two security advisories today.
    The first advisory is about a vulnerability in handling secure cookies, which has been fixed already in the KDE 3.0.3 release. Another vulnerability was discovered last week on Bugtraq, which is related to the cross site scripting protection in Konqueror. A patch and an updated kdelibs package was released today to fix both problems. The KDE 3.0.3 Info page was updated as well. It is recommended to upgrade immediately.

    Bookmark/Search this post with

    Comments

    Wed, 2002/09/11 - 5:00am — Eli Wapniarski (not verified)
    Score: 0

    Patch for KDE 3.0 for Cross Scripting Vulnerability

    Will there be a patch for the Cross Scripting Vulnerability for version other than 2.2.2 or 3.0.3, i.e. 3.0?

    Thanks

    Wed, 2002/09/11 - 5:00am — Eli Wapniarski (not verified)
    Score: 0

    Re: Patch for KDE 3.0 for Cross Scripting Vulnerability

    Oh... By the way... Thanks for providing the patch Secure Cookie Vulnerability. It made my life a whole lot easier.

    Wed, 2002/09/11 - 5:00am — Anonymous (not verified)
    Score: 0

    Re: Patch for KDE 3.0 for Cross Scripting Vulnerability

    Did you try that the 3.0.3 patch doesn't apply to 3.0?

    Wed, 2002/09/11 - 5:00am — Richard Moore (not verified)
    Score: 0

    Re: Patch for KDE 3.0 for Cross Scripting Vulnerability

    It isn't needed the bug was introduced between 3.0.2 and 3.0.3 IIRC.

    Rich.

    Wed, 2002/09/11 - 5:00am — Anonymous (not verified)
    Score: 0

    Re: Patch for KDE 3.0 for Cross Scripting Vulnerability

    Did anyone read the advisory? It reads "Systems affected: KDE 3.0 - 3.0.3".

    Wed, 2002/09/11 - 5:00am — Daniel Stone (not verified)
    Score: 0

    Debian packages

    Debian 3.0.3a packages have been uploaded to ktown and should hit mirrors shortly; a 2.2.2 DSA for stable (woody) has been sent to the security team, and a 2.2.2 upload for unstable (sid) will be made within a couple of hours.

    Fri, 2002/09/13 - 5:00am — Daniel Stone (not verified)
    Score: 0

    Re: Debian packages

    3.0.3a has hit the mirrors, and the 2.2.2 unstable upload has hit sid; the 2.2.2 woody DSA is still building on all the architectures (including m68k, arm, etc). Have at it.

    Wed, 2002/09/11 - 5:00am — David (not verified)
    Score: 0

    Compiling

    Msut one recompile everything after installing a new kdelibs?

    Wed, 2002/09/11 - 5:00am — Rex Dieter (not verified)
    Score: 0

    Re: Compiling

    > Msut one recompile everything after installing a new kdelibs?

    I seriously doubt it (unless you've linked things statically...)

    -- Rex

    Thu, 2002/09/12 - 5:00am — Me (not verified)
    Score: 0

    Re: Compiling

    Definitively no.

    Wed, 2002/09/18 - 5:00am — Esteban Maringolo (not verified)
    Score: 0

    MSIE & Konqueror same exploit

    Does anybody knows why when a Security Bug appears in MS Internet Explorer, soon the same problem emerges in Konqueror.

    I mean SSL Certificates, and now Cross Site Scripting.

    Is it just casuality?

    Seems like if both were based on the same code or something alike.