Detections
Analytics

FreeBSD : KDE -- multiple vulnerabilities (6f358f5a-c7ea-11de-a9f3-0030843d3802)

high Nessus Plugin ID 42342

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

oCERT reports :

Ark input sanitization errors: The KDE archiving tool, Ark, performs insufficient validation which leads to specially crafted archive files, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites.

IO Slaves input sanitization errors: KDE protocol handlers perform insufficient input validation, an attacker can craft malicious URI that would trigger JavaScript execution. Additionally the 'help://' protocol handler suffer from directory traversal. It should be noted that the scope of this issue is limited as the malicious URIs cannot be embedded in Internet hosted content.

KMail input sanitization errors: The KDE mail client, KMail, performs insufficient validation which leads to specially crafted email attachments, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites.

The exploitation of these vulnerabilities is unlikely according to Portcullis and KDE but the execution of active content is nonetheless unexpected and might pose a threat.

Solution

Update the affected packages.

See Also

http://ocert.org/advisories/ocert-2009-015.html

http://www.nessus.org/u?73d1e8cd

Plugin Details

Severity: High

ID: 42342

File Name: freebsd_pkg_6f358f5ac7ea11dea9f30030843d3802.nasl

Version: 1.13

Type: local

Published: 11/3/2009

Updated: 1/6/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:kdebase-runtime, p-cpe:/a:freebsd:freebsd:kdelibs, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 11/2/2009

Vulnerability Publication Date: 10/30/2009