Konqueror 4.4.x / 4.5.x / 4.6.x HTML Injection

Credit: Tim Brown
Risk: Low
Local: No
Remote: Yes

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nth Dimension Security Advisory (NDSA20110321) Date: 21st March 2011 Author: Tim Brown <mailto:timb@nth-dimension.org.uk> URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/> Product: Konqueror 4.4.x, 4.5.x, 4.6.x <http://konqueror.kde.org/> Vendor: KDE <http://www.kde.org/> Risk: Medium Summary The Konqueror web browser is vulnerable to HTML injection into the error pages that are displayed when it fails to fetch the requested URL. This could allow an arbitrary web site to be spoofed. After discussions with the vendor, CVE-2011-1168 was assigned to this vulnerability. Technical Details Konqueror 4.4.x, 4.5.x and 4.6.x are affected by HTML injection which allows an arbitrary URL to be spoofed. Opening a fresh instance of Konqueror and entering the following URL causes the error page HTML to become corrupted: http://thisdomainwillnotresolveandrekonqerrorpagewillbeshownwithfullurlembedded.twitter.com/"><h1>Test</h1> Since Konqueror fails to resolve the hostname it will then will display an error message containing the requested URL including the HTML tags. It is worth noting that Javascript execution does not appear to be possible in the context of the unresolvable hostname for two reasons. Firstly Konqueror disables Javascript within KHTMLPart::htmlError() (between the calls to begin() and end() and secondly because the code executes in an empty domain preventing the cookies for the spoofed URL from being accessed. Whilst the first of these restrictions could be bypassed in a number of ways (see below), no method has currently been identified to bypass the latter to break Konqueror's same origin policy. It was identified that the first restriction could be bypassed at least two ways. Firstly a link can be injected with a URL in the form javascript:... and secondly an iframe can be injected with a source URL in the form data:text/html,... In the first case, Konqueror only interprets the link at the point of clicking (after Javascript has been reenabled) whilst in the latter, Konqueror does not disable Javascript during the parsing of the source for this iframe (i.e. between the calls to begin() and end()). The following URL demonstrates how HTML can be injected which both takes control of the entire visible DOM by overriding the error page styles for an arbitrary "secure" URL and then allows Javascript to be executed in the victims browser: https://secure.twitter.com/</title></head><body><style>body{margin: 10px 0; background:#C0DEED url(http://si0.twimg.com/sticky/error_pages/bg-clouds.png) repeat-x; color:%23333; font: 12px Lucida Grande, Arial, sans-serif; text-align:center};%23box {display: none}</style></div><br/><br/><br/><br/><br/><br/><br/><br/><br/><iframe width=25%25 height=180 frameBorder=0 src='data:text/html,<body style="background-color:transparent"><img src=http://si0.twimg.com/sticky/error_pages/twitter_logo_header.png><a><form><p>Username: <input type=text></p><p>Password: <input type=password></p><input type=submit value=Login></form><script>alert(1)</script></body>'><div id="box"> Solutions Nth Dimension recommends that the vendor supplied patches should be applied. History On 16th March 2011, Nth Dimension contacted the KDE security team to report the described vulnerability. On 17th March 2011, Harri Porten of KDE confirmed that he had recieved the report and it had been escalated to Maksim Orlovich, a KDE developer working on KHTML to determine the impact. Nth Dimension worked with the Maksim to evaluate the full extent of the problem, particulary in relation to the bypass of the Javascript restriction as any same origin policy implications and an interim patch was produced. On 18th March 2011, Nth Dimension contacted Josh Bressers on behalf of the KDE security team to request a CVE for this vulnerability which was duely assigned. Following the assigment of a CVE for this issue, Nth Dimension and KDE liased to establish a date for final publication of the advisory and patches. Current As of the 23rd March 2011, the state of the vulnerabilities is believed to be as follows. A patch has been developed which it is believed successfully mitigates the final symptoms of this vulnerability. This patch has been ported to 4.4.x, 4.5.x and 4.6.x branches of KDE and will be made available to distributions in due course. Thanks Nth Dimension would like to thank Maksim Orlovich and Jeff Mitchell of KDE and Josh Bressers of Redhat for the way they worked to resolve the issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCAAGBQJNiUQHAAoJEPJhpTVyySo7fmgP/Ak3XF7fMSjoJ+tJTb2ZwAl3 /6L94CTaDVS4GFhCwYjSQXajmPpUcEfkRYRyScg1ABrIDt1301s+tuA4CrR540k3 8eTPBSi/brbg+zsQHJZaubBanxOPV3gnZR9jBlTD3+1N1g7PZj1x3A97ijEcVDV+ wbWVVu2CAxrLAkpZMLebqztssPrLV87Q90JBPehJorKEx+kKVkPzyh1X/XoQC9Er 4YLxlhc8NScATNqAci2r54mMbXKqmsXvRLA23rw299y/B1Qd0fkRtY/X72Wguedh O97X/aAvojJw61BQ/rzsq0otnjGQfYQUtRNAdhdoQ0Eh+v3mlea/3PFugXMjyxTr qNO5blYvoeJ409XpmzOXgpk5j8gfUPiOkVFcU0AgMa2e600tZjJ76BpNfmiq3m+e g94vHYLvu1koG7ZzuZIQHfbtK8WUfM8W+bXpkRqmsxH0a5AOYqTjbJtWdskIipvp gUhfQmpCazqkK7ym4IWe44N1mMx2EJX3gWXtw/LETk+S5QX+DdJOUI1igIbJVZT6 BpqGG6tVFdPyus8X6AjP+GyhgvZSnziiXqha6D9kvWusVCzYVsP9+56wvWSDIgCn dZM5eSJphEYVaEaX86tpulYOXyxLAjrYrldghX0AEcDmFk9d8qwfXG4N4xcOkSO5 rGKhyY/jLYu1iU4szvI3 =nbIX -----END PGP SIGNATURE-----

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com


Back to Top