ID CVE-2003-0592
Summary Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.
References
Vulnerable Configurations
  • cpe:2.3:a:kde:konqueror:2.1.1
    cpe:2.3:a:kde:konqueror:2.1.1
  • cpe:2.3:a:kde:konqueror:2.2.2
    cpe:2.3:a:kde:konqueror:2.2.2
  • cpe:2.3:a:kde:konqueror:3.0
    cpe:2.3:a:kde:konqueror:3.0
  • cpe:2.3:a:kde:konqueror:3.0.1
    cpe:2.3:a:kde:konqueror:3.0.1
  • cpe:2.3:a:kde:konqueror:3.0.2
    cpe:2.3:a:kde:konqueror:3.0.2
  • cpe:2.3:a:kde:konqueror:3.0.3
    cpe:2.3:a:kde:konqueror:3.0.3
  • cpe:2.3:a:kde:konqueror:3.0.5
    cpe:2.3:a:kde:konqueror:3.0.5
  • cpe:2.3:a:kde:konqueror:3.1
    cpe:2.3:a:kde:konqueror:3.1
  • cpe:2.3:a:kde:konqueror:3.1.1
    cpe:2.3:a:kde:konqueror:3.1.1
  • cpe:2.3:a:kde:konqueror:3.1.2
    cpe:2.3:a:kde:konqueror:3.1.2
  • cpe:2.3:a:kde:konqueror_embedded:0.1
    cpe:2.3:a:kde:konqueror_embedded:0.1
CVSS
Base: 7.5 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-074.NASL
    description Updated kdelibs packages that fix a flaw in cookie path handling are now available. Konqueror is a file manager and Web browser for the K Desktop Environment (KDE). Flaws have been found in the cookie path handling between a number of Web browsers and servers. The HTTP cookie standard allows a Web server supplying a cookie to a client to specify a subset of URLs on the origin server to which the cookie applies. Web servers such as Apache do not filter returned cookies and assume that the client will only send back cookies for requests that fall within the server-supplied subset of URLs. However, by supplying URLs that use path traversal (/../) and character encoding, it is possible to fool many browsers into sending a cookie to a path outside of the originally-specified subset. KDE version 3.1.3 and later include a patch to Konquerer that disables the sending of cookies to the server if the URL contains such encoded traversals. Red Hat Enterprise Linux 2.1 shipped with KDE 2.2.2 and is therefore vulnerable to this issue. Users of Konquerer are advised to upgrade to these erratum packages, which contain a backported patch for this issue.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12472
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12472
    title RHEL 2.1 : kdelibs (RHSA-2004:074)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-459.NASL
    description A vulnerability was discovered in KDE where the path restrictions on cookies could be bypassed using encoded relative path components (e.g., '/../'). This means that a cookie which should only be sent by the browser to an application running at /app1, the browser could inadvertently include it with a request sent to /app2 on the same server.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15296
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15296
    title Debian DSA-459-1 : kdelibs - cookie path traversal
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-022.NASL
    description Corsaire discovered that a number of HTTP user agents contained a flaw in how they handle cookies. This flaw could allow an attacker to avoid the path restrictions specified by a cookie's originator. According to their advisory : 'The cookie specifications detail a path argument that can be used to restrict the areas of a host that will be exposed to a cookie. By using standard traversal techniques this functionality can be subverted, potentially exposing the cookie to scrutiny and use in further attacks.' This issue was fixed in KDE 3.1.3; the updated packages are patched to protect against this vulnerability.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14121
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14121
    title Mandrake Linux Security Advisory : kdelibs (MDKSA-2004:022)
oval via4
accepted 2007-04-25T19:52:56.638-04:00
class vulnerability
contributors
  • name Jay Beale
    organization Bastille Linux
  • name Thomas R. Jones
    organization Maitreya Security
description Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application.
family unix
id oval:org.mitre.oval:def:823
status accepted
submitted 2004-03-20T12:00:00.000-04:00
title Konqueror Cookie Access Restrictions Bypass Vulnerability
version 33
redhat via4
advisories
rhsa
id RHSA-2004:074
refmap via4
debian DSA-459
fulldisc 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue
mandrake MDKSA-2004:022
vulnwatch 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue
Last major update 10-09-2008 - 15:19
Published 15-04-2004 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top