Konqueror in KDE 3.2.3 and earlier allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk and .firm.in, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session.

According to a KDE Security Advisory :

WESTPOINT internet reconnaissance services alerted the KDE security team that the KDE web browser Konqueror allows websites to set cookies for certain country specific secondary top level domains.

Websites operating under the affected domains can set HTTP cookies in such a way that the Konqueror web browser will send them to all other websites operating under the same domain. A malicious website can use this as part of a session fixation attack. See e.g.
http://www.acros.si/papers/session_fixation.pdf

Affected are all country specific secondary top level domains that use more than 2 characters in the secondary part of the domain name and that use a secondary part other than com, net, mil, org, gov, edu or int. Examples of affected domains are .ltd.uk, .plc.uk and .firm.in

It should be noted that popular domains such as .co.uk, .co.in and .com are NOT affected.

New kdelibs and kdebase packages are available for Slackware 9.1, 10.0, and -current to fix security issues.

The remote host is using a version of Konqueror, a web browser, which is prone to a security flaw wherein a malicious website can spoof a third party domain within frames.  An attacker exploiting this flaw would get the local user to 'trust' a remote spoofed domain.  For example, if the malicious website were to spoof a trusted domain, the user may enter confidential information into the spoofed frame.

Updated kdelib and kdebase packages that resolve multiple security issues are now available.

The kdelibs packages include libraries for the K Desktop Environment.
The kdebase packages include core applications for the K Desktop Environment.

Andrew Tuitt reported that versions of KDE up to and including 3.2.3 create temporary directories with predictable names. A local attacker could prevent KDE applications from functioning correctly, or overwrite files owned by other users by creating malicious symlinks.
The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-0689 to this issue.

WESTPOINT internet reconnaissance services has discovered that the KDE web browser Konqueror allows websites to set cookies for certain country specific secondary top level domains. An attacker within one of the affected domains could construct a cookie which would be sent to all other websites within the domain leading to a session fixation attack. This issue does not affect popular domains such as .co.uk, .co.in, or .com. The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-0721 to this issue.

A frame injection spoofing vulnerability has been discovered in the Konqueror web browser. This issue could allow a malicious website to show arbitrary content in a named frame of a different browser window.
The Common Vulnerabilities and Exposures project has assigned the name CVE-2004-0746 to this issue.

All users of KDE are advised to upgrade to these erratum packages, which contain backported patches from the KDE team for these issues.

A number of vulnerabilities were discovered in KDE that are corrected with these update packages.

The integrity of symlinks used by KDE are not ensured and as a result can be abused by local attackers to create or truncate arbitrary files or to prevent KDE applications from functioning correctly (CVE-2004-0689).

The DCOPServer creates temporary files in an insecure manner. These temporary files are used for authentication-related purposes, so this could potentially allow a local attacker to compromise the account of any user running a KDE application (CVE-2004-0690). Note that only KDE 3.2.x is affected by this vulnerability.

The Konqueror web browser allows websites to load web pages into a frame of any other frame-based web page that the user may have open.
This could potentially allow a malicious website to make Konqueror insert its own frames into the page of an otherwise trusted website (CVE-2004-0721).

The Konqueror web browser also allows websites to set cookies for certain country-specific top-level domains. This can be done to make Konqueror send the cookies to all other web sites operating under the same domain, which can be abused to become part of a session fixation attack. All country-specific secondary top-level domains that use more than 2 characters in the secondary part of the domain name, and that use a secondary part other than com, net, mil, org, gove, edu, or int are affected (CVE-2004-0746).

ID	Name	Product	Family	Severity
18877	FreeBSD : kdelibs -- konqueror cross-domain cookie injection (2797b27a-f55b-11d8-81b0-000347a4fa7d)	Nessus	FreeBSD Local Security Checks	high
18782	Slackware 10.0 / 9.1 / current : kde (SSA:2004-247-01)	Nessus	Slackware Local Security Checks	high
2379	Konqueror Cross-Domain Scripting	Nessus Network Monitor	Web Clients	high
15427	RHEL 2.1 / 3 : kdelibs, kdebase (RHSA-2004:412)	Nessus	Red Hat Local Security Checks	high
14335	Mandrake Linux Security Advisory : kdelibs/kdebase (MDKSA-2004:086)	Nessus	Mandriva Local Security Checks	high

Detections

Analytics

CVE-2004-0746

critical

Tenable Plugins

high

high

high

high

high