Vulnerabilities > CVE-2003-0592 - Unspecified vulnerability in KDE Konqueror and Konqueror Embedded
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 11 |
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-074.NASL description Updated kdelibs packages that fix a flaw in cookie path handling are now available. Konqueror is a file manager and Web browser for the K Desktop Environment (KDE). Flaws have been found in the cookie path handling between a number of Web browsers and servers. The HTTP cookie standard allows a Web server supplying a cookie to a client to specify a subset of URLs on the origin server to which the cookie applies. Web servers such as Apache do not filter returned cookies and assume that the client will only send back cookies for requests that fall within the server-supplied subset of URLs. However, by supplying URLs that use path traversal (/../) and character encoding, it is possible to fool many browsers into sending a cookie to a path outside of the originally-specified subset. KDE version 3.1.3 and later include a patch to Konquerer that disables the sending of cookies to the server if the URL contains such encoded traversals. Red Hat Enterprise Linux 2.1 shipped with KDE 2.2.2 and is therefore vulnerable to this issue. Users of Konquerer are advised to upgrade to these erratum packages, which contain a backported patch for this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 12472 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12472 title RHEL 2.1 : kdelibs (RHSA-2004:074) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2004:074. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12472); script_version ("1.24"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2003-0592"); script_xref(name:"RHSA", value:"2004:074"); script_name(english:"RHEL 2.1 : kdelibs (RHSA-2004:074)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kdelibs packages that fix a flaw in cookie path handling are now available. Konqueror is a file manager and Web browser for the K Desktop Environment (KDE). Flaws have been found in the cookie path handling between a number of Web browsers and servers. The HTTP cookie standard allows a Web server supplying a cookie to a client to specify a subset of URLs on the origin server to which the cookie applies. Web servers such as Apache do not filter returned cookies and assume that the client will only send back cookies for requests that fall within the server-supplied subset of URLs. However, by supplying URLs that use path traversal (/../) and character encoding, it is possible to fool many browsers into sending a cookie to a path outside of the originally-specified subset. KDE version 3.1.3 and later include a patch to Konquerer that disables the sending of cookies to the server if the URL contains such encoded traversals. Red Hat Enterprise Linux 2.1 shipped with KDE 2.2.2 and is therefore vulnerable to this issue. Users of Konquerer are advised to upgrade to these erratum packages, which contain a backported patch for this issue." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0592" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2004:074" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:arts"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kdelibs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kdelibs-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kdelibs-sound"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kdelibs-sound-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/04/15"); script_set_attribute(attribute:"patch_publication_date", value:"2004/03/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2004:074"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"arts-2.2.2-10")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kdelibs-2.2.2-10")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kdelibs-devel-2.2.2-10")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kdelibs-sound-2.2.2-10")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kdelibs-sound-devel-2.2.2-10")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "arts / kdelibs / kdelibs-devel / kdelibs-sound / etc"); } }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-459.NASL description A vulnerability was discovered in KDE where the path restrictions on cookies could be bypassed using encoded relative path components (e.g., last seen 2020-06-01 modified 2020-06-02 plugin id 15296 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15296 title Debian DSA-459-1 : kdelibs - cookie path traversal code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-459. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15296); script_version("1.22"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0592"); script_bugtraq_id(9841); script_xref(name:"DSA", value:"459"); script_name(english:"Debian DSA-459-1 : kdelibs - cookie path traversal"); script_summary(english:"Checks dpkg output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered in KDE where the path restrictions on cookies could be bypassed using encoded relative path components (e.g., '/../'). This means that a cookie which should only be sent by the browser to an application running at /app1, the browser could inadvertently include it with a request sent to /app2 on the same server." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2004/dsa-459" ); script_set_attribute( attribute:"solution", value: "For the current stable distribution (woody) this problem has been fixed in kdelibs version 4:2.2.2-6woody3 and kdelibs-crypto version 4:2.2.2-13.woody.9. We recommend that you update your kdelibs and kdelibs-crypto packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kdelibs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kdelibs-crypto"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/03/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"kdelibs-dev", reference:"2.2.2-13.woody.9")) flag++; if (deb_check(release:"3.0", prefix:"kdelibs3", reference:"2.2.2-13.woody.9")) flag++; if (deb_check(release:"3.0", prefix:"kdelibs3-bin", reference:"2.2.2-13.woody.9")) flag++; if (deb_check(release:"3.0", prefix:"kdelibs3-crypto", reference:"2.2.2-6woody3")) flag++; if (deb_check(release:"3.0", prefix:"kdelibs3-cups", reference:"2.2.2-13.woody.9")) flag++; if (deb_check(release:"3.0", prefix:"kdelibs3-doc", reference:"2.2.2-13.woody.9")) flag++; if (deb_check(release:"3.0", prefix:"libarts", reference:"2.2.2-13.woody.9")) flag++; if (deb_check(release:"3.0", prefix:"libarts-alsa", reference:"2.2.2-13.woody.9")) flag++; if (deb_check(release:"3.0", prefix:"libarts-dev", reference:"2.2.2-13.woody.9")) flag++; if (deb_check(release:"3.0", prefix:"libkmid", reference:"2.2.2-13.woody.9")) flag++; if (deb_check(release:"3.0", prefix:"libkmid-alsa", reference:"2.2.2-13.woody.9")) flag++; if (deb_check(release:"3.0", prefix:"libkmid-dev", reference:"2.2.2-13.woody.9")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-022.NASL description Corsaire discovered that a number of HTTP user agents contained a flaw in how they handle cookies. This flaw could allow an attacker to avoid the path restrictions specified by a cookie last seen 2020-06-01 modified 2020-06-02 plugin id 14121 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14121 title Mandrake Linux Security Advisory : kdelibs (MDKSA-2004:022)
Oval
| accepted | 2007-04-25T19:52:56.638-04:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| description | Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. | ||||||||
| family | unix | ||||||||
| id | oval:org.mitre.oval:def:823 | ||||||||
| status | accepted | ||||||||
| submitted | 2004-03-20T12:00:00.000-04:00 | ||||||||
| title | Konqueror Cookie Access Restrictions Bypass Vulnerability | ||||||||
| version | 37 |
Redhat
| advisories |
|
References
- http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0056.html
- http://lists.grok.org.uk/pipermail/full-disclosure/2004-March/018475.html
- http://www.debian.org/security/2004/dsa-459
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:022
- http://www.redhat.com/support/errata/RHSA-2004-074.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A823