rekonq Error Page Cross-Site Scripting Vulnerability

2010.08.04
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Version: 0.2.90 (using 4.3.2 (KDE 4.3.2), Debian packages) Compiler: cc OS: Linux (x86_64) release 2.6.31-1-amd64 Rekonq is affected by a universal XSS and / or crash. Opening a fresh instance of Rekonq and entering the following URL causes a crash: http://thisdomainwillnotresolveandrekonqerrorpagewillbeshownwithfullurlembedded.twitter.com/"><script>alert(document.cookie)</script> However, if you enter this into a new tab on an existing instance of Rekonq then it will first try and resolve the hostname and then when that fails it will display an error message. The error message output by Rekonq includes the full URL, including the <script> tags. Since Rekonq see that the requested URL is part of *.twitter.com and since twitter.com sets wildcard domain'd cookies, the error page will be able to access any cookies that have been set. Note that this is not unique to twitter.com, cookies can be stole for any site that sets wildcard domain'd cookies. There are therefore 3 issues: 1) Crash on fresh instance 2) Injection of malicious content into error message 3) Access to cookies when the hostname under which the cookies have been set was not accessible I believe the root cause of 2 is: rekonq-mainline/src/webpage.cpp: msg += "<h2>" + i18nc("%1=an URL, e.g.'kde.org'", "When connecting to: %1", reply->url().toString()) + "</h2>"; Note that there is no sanitisation of reply->url().toString()! I haven't investigated the others in any depth but I will update the bug with a stack trace for 1 shortly.

References:

https://bugs.kde.org/show_bug.cgi?id=217464
http://www.osvdb.org/66568
http://secunia.com/advisories/40646
http://marc.info/?l=oss-security&m=127973502617945&w=2
http://marc.info/?l=oss-security&m=127971194610788&w=2


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top