Vulnerabilities > CVE-2003-0592 - Unspecified vulnerability in KDE Konqueror and Konqueror Embedded

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
kde
nessus

Summary

Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2004-074.NASL
    descriptionUpdated kdelibs packages that fix a flaw in cookie path handling are now available. Konqueror is a file manager and Web browser for the K Desktop Environment (KDE). Flaws have been found in the cookie path handling between a number of Web browsers and servers. The HTTP cookie standard allows a Web server supplying a cookie to a client to specify a subset of URLs on the origin server to which the cookie applies. Web servers such as Apache do not filter returned cookies and assume that the client will only send back cookies for requests that fall within the server-supplied subset of URLs. However, by supplying URLs that use path traversal (/../) and character encoding, it is possible to fool many browsers into sending a cookie to a path outside of the originally-specified subset. KDE version 3.1.3 and later include a patch to Konquerer that disables the sending of cookies to the server if the URL contains such encoded traversals. Red Hat Enterprise Linux 2.1 shipped with KDE 2.2.2 and is therefore vulnerable to this issue. Users of Konquerer are advised to upgrade to these erratum packages, which contain a backported patch for this issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id12472
    published2004-07-06
    reporterThis script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/12472
    titleRHEL 2.1 : kdelibs (RHSA-2004:074)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2004:074. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(12472);
      script_version ("1.24");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2003-0592");
      script_xref(name:"RHSA", value:"2004:074");
    
      script_name(english:"RHEL 2.1 : kdelibs (RHSA-2004:074)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated kdelibs packages that fix a flaw in cookie path handling are
    now available.
    
    Konqueror is a file manager and Web browser for the K Desktop
    Environment (KDE).
    
    Flaws have been found in the cookie path handling between a number of
    Web browsers and servers. The HTTP cookie standard allows a Web server
    supplying a cookie to a client to specify a subset of URLs on the
    origin server to which the cookie applies. Web servers such as Apache
    do not filter returned cookies and assume that the client will only
    send back cookies for requests that fall within the server-supplied
    subset of URLs. However, by supplying URLs that use path traversal
    (/../) and character encoding, it is possible to fool many browsers
    into sending a cookie to a path outside of the originally-specified
    subset.
    
    KDE version 3.1.3 and later include a patch to Konquerer that disables
    the sending of cookies to the server if the URL contains such encoded
    traversals. Red Hat Enterprise Linux 2.1 shipped with KDE 2.2.2 and is
    therefore vulnerable to this issue.
    
    Users of Konquerer are advised to upgrade to these erratum packages,
    which contain a backported patch for this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2003-0592"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2004:074"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:arts");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kdelibs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kdelibs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kdelibs-sound");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:kdelibs-sound-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/04/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2004/03/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2004:074";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"arts-2.2.2-10")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kdelibs-2.2.2-10")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kdelibs-devel-2.2.2-10")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kdelibs-sound-2.2.2-10")) flag++;
      if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"kdelibs-sound-devel-2.2.2-10")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "arts / kdelibs / kdelibs-devel / kdelibs-sound / etc");
      }
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-459.NASL
    descriptionA vulnerability was discovered in KDE where the path restrictions on cookies could be bypassed using encoded relative path components (e.g.,
    last seen2020-06-01
    modified2020-06-02
    plugin id15296
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15296
    titleDebian DSA-459-1 : kdelibs - cookie path traversal
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-459. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15296);
      script_version("1.22");
      script_cvs_date("Date: 2019/08/02 13:32:17");
    
      script_cve_id("CVE-2003-0592");
      script_bugtraq_id(9841);
      script_xref(name:"DSA", value:"459");
    
      script_name(english:"Debian DSA-459-1 : kdelibs - cookie path traversal");
      script_summary(english:"Checks dpkg output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A vulnerability was discovered in KDE where the path restrictions on
    cookies could be bypassed using encoded relative path components
    (e.g., '/../'). This means that a cookie which should only be sent by
    the browser to an application running at /app1, the browser could
    inadvertently include it with a request sent to /app2 on the same
    server."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2004/dsa-459"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "For the current stable distribution (woody) this problem has been
    fixed in kdelibs version 4:2.2.2-6woody3 and kdelibs-crypto version
    4:2.2.2-13.woody.9.
    
    We recommend that you update your kdelibs and kdelibs-crypto packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kdelibs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:kdelibs-crypto");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/03/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"kdelibs-dev", reference:"2.2.2-13.woody.9")) flag++;
    if (deb_check(release:"3.0", prefix:"kdelibs3", reference:"2.2.2-13.woody.9")) flag++;
    if (deb_check(release:"3.0", prefix:"kdelibs3-bin", reference:"2.2.2-13.woody.9")) flag++;
    if (deb_check(release:"3.0", prefix:"kdelibs3-crypto", reference:"2.2.2-6woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"kdelibs3-cups", reference:"2.2.2-13.woody.9")) flag++;
    if (deb_check(release:"3.0", prefix:"kdelibs3-doc", reference:"2.2.2-13.woody.9")) flag++;
    if (deb_check(release:"3.0", prefix:"libarts", reference:"2.2.2-13.woody.9")) flag++;
    if (deb_check(release:"3.0", prefix:"libarts-alsa", reference:"2.2.2-13.woody.9")) flag++;
    if (deb_check(release:"3.0", prefix:"libarts-dev", reference:"2.2.2-13.woody.9")) flag++;
    if (deb_check(release:"3.0", prefix:"libkmid", reference:"2.2.2-13.woody.9")) flag++;
    if (deb_check(release:"3.0", prefix:"libkmid-alsa", reference:"2.2.2-13.woody.9")) flag++;
    if (deb_check(release:"3.0", prefix:"libkmid-dev", reference:"2.2.2-13.woody.9")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2004-022.NASL
    descriptionCorsaire discovered that a number of HTTP user agents contained a flaw in how they handle cookies. This flaw could allow an attacker to avoid the path restrictions specified by a cookie
    last seen2020-06-01
    modified2020-06-02
    plugin id14121
    published2004-07-31
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/14121
    titleMandrake Linux Security Advisory : kdelibs (MDKSA-2004:022)

Oval

accepted2007-04-25T19:52:56.638-04:00
classvulnerability
contributors
  • nameJay Beale
    organizationBastille Linux
  • nameThomas R. Jones
    organizationMaitreya Security
descriptionKonqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.
familyunix
idoval:org.mitre.oval:def:823
statusaccepted
submitted2004-03-20T12:00:00.000-04:00
titleKonqueror Cookie Access Restrictions Bypass Vulnerability
version37

Redhat

advisories
rhsa
idRHSA-2004:074