漏洞信息详情
KDE Konqueror HTTP REFERER验证信息泄露漏洞
- CNNVD编号:CNNVD-200308-126
- 危害等级: 低危
- CVE编号: CVE-2003-0459
- 漏洞类型: 设计错误
- 发布时间: 2003-08-27
- 威胁类型: 远程
- 更新时间: 2005-10-20
- 厂 商: kde
- 漏洞来源: George Staikos
漏洞简介
KDE是一款X Windows系统的图形桌面环境。Konqueror是K桌面环境的文件管理器,也可用于浏览WEB。 Konqueror不正确处理HTTP REFERER字段信息,远程攻击者可以利用这个漏洞通过网络嗅探获得用户验证的敏感信息。 Konqueror当提交类似 http://user:password@host/ 的URL请求时,会以明文方式并在用户不知晓的情况下,通过HTTP-referer字段发送出去,第三方用户可以通过截获网络通信获得这些敏感信息。
漏洞公告
厂商补丁: Debian ------ http://www.debian.org/security/2003/dsa-361 MandrakeSoft ------------ MandrakeSoft已经为此发布了一个安全公告(MDKSA-2003:079)以及相应补丁:
MDKSA-2003:079:Updated kdelibs packages fix konqueror authentication leak
链接: http://www.linux-mandrake.com/en/security/2003/2003-079.php
补丁下载:
Updated Packages:
Corporate Server 2.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/kdelibs-3.0.5a-1.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/kdelibs-devel-3.0.5a-1.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/kdelibs-3.0.5a-1.3mdk.src.rpm
Corporate Server 2.1/x86_64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/kdelibs-3.0.5-2.1mdk.x86_64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/kdelibs-devel-3.0.5-2.1mdk.x86_64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/SRPMS/kdelibs-3.0.5-2.1mdk.src.rpm
Mandrake Linux 9.0:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/kdelibs-3.0.5a-1.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/kdelibs-devel-3.0.5a-1.3mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/SRPMS/kdelibs-3.0.5a-1.3mdk.src.rpm
Mandrake Linux 9.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/kdelibs-3.1-58.2mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/kdelibs-common-3.1-58.2mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/kdelibs-devel-3.1-58.2mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/RPMS/kdelibs-static-devel-3.1-58.2mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.1/SRPMS/kdelibs-3.1-58.2mdk.src.rpm
Mandrake Linux 9.1/PPC:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/kdelibs-3.1-58.2mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/kdelibs-common-3.1-58.2mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/kdelibs-devel-3.1-58.2mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/RPMS/kdelibs-static-devel-3.1-58.2mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/9.1/SRPMS/kdelibs-3.1-58.2mdk.src.rpm
上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
http://www.mandrakesecure.net/en/ftp.php RedHat ------ RedHat已经为此发布了一个安全公告(RHSA-2003:236-08)以及相应补丁:
RHSA-2003:236-08:Updated KDE packages fix security issue
链接: http://rhn.redhat.com/errata/RHSA-2003-236.HTML
补丁下载:
Red Hat Enterprise Linux AS (v. 2.1)
--------------------------------------------------------------------------------
SRPMS:
kdelibs-2.2.2-9.src.rpm f0e606206f10a86c06abbf626a9a1e32
i386:
arts-2.2.2-9.i386.rpm abf35ed90bb162a14d96e0e3ed80ce5c
kdelibs-2.2.2-9.i386.rpm 407f8a272a2858718527fe1adeb73f7c
kdelibs-devel-2.2.2-9.i386.rpm 09ef114a24c28843a81fd3a93d06def9
kdelibs-sound-2.2.2-9.i386.rpm 5a951b1aba97b6b363918e31aac793b8
kdelibs-sound-devel-2.2.2-9.i386.rpm eeee618053e1b54a7a802b3c824f8a79
ia64:
arts-2.2.2-9.ia64.rpm 1b3acc69dcc82c8da42510ba6ff820e6
kdelibs-2.2.2-9.ia64.rpm 4172adfd6f35319b7e340952c3c51ba0
kdelibs-devel-2.2.2-9.ia64.rpm 20fb1ceb572442e36b91e55c7f29d25d
kdelibs-sound-2.2.2-9.ia64.rpm b7348ef4c58931909887a3423c165934
kdelibs-sound-devel-2.2.2-9.ia64.rpm 0fa84d0a287a99e21e868f9083bbea06
Red Hat Enterprise Linux ES (v. 2.1)
--------------------------------------------------------------------------------
SRPMS:
kdelibs-2.2.2-9.src.rpm f0e606206f10a86c06abbf626a9a1e32
i386:
arts-2.2.2-9.i386.rpm abf35ed90bb162a14d96e0e3ed80ce5c
kdelibs-2.2.2-9.i386.rpm 407f8a272a2858718527fe1adeb73f7c
kdelibs-devel-2.2.2-9.i386.rpm 09ef114a24c28843a81fd3a93d06def9
kdelibs-sound-2.2.2-9.i386.rpm 5a951b1aba97b6b363918e31aac793b8
kdelibs-sound-devel-2.2.2-9.i386.rpm eeee618053e1b54a7a802b3c824f8a79
Red Hat Enterprise Linux WS (v. 2.1)
--------------------------------------------------------------------------------
SRPMS:
kdelibs-2.2.2-9.src.rpm f0e606206f10a86c06abbf626a9a1e32
i386:
arts-2.2.2-9.i386.rpm abf35ed90bb162a14d96e0e3ed80ce5c
kdelibs-2.2.2-9.i386.rpm 407f8a272a2858718527fe1adeb73f7c
kdelibs-devel-2.2.2-9.i386.rpm 09ef114a24c28843a81fd3a93d06def9
kdelibs-sound-2.2.2-9.i386.rpm 5a951b1aba97b6b363918e31aac793b8
kdelibs-sound-devel-2.2.2-9.i386.rpm &n
参考网址
来源: REDHAT 名称: RHSA-2003:236 链接:http://www.redhat.com/support/errata/RHSA-2003-236.HTML 来源: REDHAT 名称: RHSA-2003:235 链接:http://www.redhat.com/support/errata/RHSA-2003-235.HTML 来源: BUGTRAQ 名称: 20030802 [slackware-security] KDE packages updated (SSA:2003-213-01) 链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105986238428061&w=2 来源: TURBO 名称: TLSA-2003-45 链接:http://www.turbolinux.com/security/TLSA-2003-45.txt 来源: www.kde.org 链接:http://www.kde.org/info/security/advisory-20030729-1.txt 来源: DEBIAN 名称: DSA-361 链接:http://www.debian.org/security/2003/dsa-361 来源: FULLDISC 名称: 20030729 KDE Security Advisory: Konqueror Referrer Authentication Leak 链接:http://lists.grok.org.uk/pipermail/full-disclosure/2003-July/007300.HTML 来源: MANDRAKE 名称: MDKSA-2003:079 链接:http://www.mandriva.com/security/advisories?name=MDKSA-2003:079 来源: CONECTIVA 名称: CLA-2003:747 链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000747 来源: US Government Resource: oval:org.mitre.oval:def:411 名称: oval:org.mitre.oval:def:411 链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:411
受影响实体
- Kde Konqueror:3.1.1
- Kde Konqueror:3.1.2
- Kde Konqueror_embedded:0.1
补丁
暂无
评论