Version: 0.2.90 (using 4.3.2 (KDE 4.3.2), Debian packages)
Compiler: cc
OS: Linux (x86_64) release 2.6.31-1-amd64
Rekonq is affected by a universal XSS and / or crash. Opening a fresh instance
of Rekonq and entering the following URL causes a crash:
http://thisdomainwillnotresolveandrekonqerrorpagewillbeshownwithfullurlembedded.twitter.com/"><script>alert(document.cookie)</script>
However, if you enter this into a new tab on an existing instance of Rekonq
then it will first try and resolve the hostname and then when that fails it
will display an error message. The error message output by Rekonq includes the
full URL, including the <script> tags. Since Rekonq see that the requested URL
is part of *.twitter.com and since twitter.com sets wildcard domain'd cookies,
the error page will be able to access any cookies that have been set. Note
that this is not unique to twitter.com, cookies can be stole for any site that
sets wildcard domain'd cookies.
There are therefore 3 issues:
1) Crash on fresh instance
2) Injection of malicious content into error message
3) Access to cookies when the hostname under which the cookies have been set
was not accessible
I believe the root cause of 2 is:
rekonq-mainline/src/webpage.cpp: msg += "<h2>" + i18nc("%1=an URL,
e.g.'kde.org'", "When connecting to: %1", reply->url().toString()) + "</h2>";
Note that there is no sanitisation of reply->url().toString()! I haven't
investigated the others in any depth but I will update the bug with a stack
trace for 1 shortly.