Debian DSA-167-1 : kdelibs - XSS

high Nessus Plugin ID 15004

Synopsis

The remote Debian host is missing a security-related update.

Description

A cross site scripting problem has been discovered in Konqueror, a famous browser for KDE and other programs using KHTML. The KDE team reportsthat Konqueror's cross site scripting protection fails to initialize the domains on sub-(i)frames correctly. As a result, JavaScript is able to access any foreign subframe which is defined in the HTML source. Users of Konqueror and other KDE software that uses the KHTML rendering engine may become victim of a cookie stealing and other cross site scripting attacks.

Solution

Upgrade the kdelibs package and restart Konqueror.

This problem has been fixed in version 2.2.2-13.woody.3 for the current stable distribution (woody) and in version 2.2.2-14 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it didn't ship KDE.

See Also

http://www.kde.org/info/security/advisory-20020908-2.txt

http://www.debian.org/security/2002/dsa-167

Plugin Details

Severity: High

ID: 15004

File Name: debian_DSA-167.nasl

Version: 1.20

Type: local

Agent: unix

Published: 9/29/2004

Updated: 1/4/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:konquerer, cpe:/o:debian:debian_linux:3.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 9/16/2002

Vulnerability Publication Date: 9/6/2002

Reference Information

CVE: CVE-2002-1151

DSA: 167