1. CVE-Search
  2. CVE-2003-0459
ID CVE-2003-0459
Summary KDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites.
References
Vulnerable Configurations
  • cpe:2.3:a:kde:konqueror:2.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:kde:konqueror:2.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:kde:konqueror:2.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:kde:konqueror:2.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:kde:konqueror:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:kde:konqueror:3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:kde:konqueror:3.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:kde:konqueror:3.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:kde:konqueror:3.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:kde:konqueror:3.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:kde:konqueror:3.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:kde:konqueror:3.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:kde:konqueror:3.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:kde:konqueror:3.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:kde:konqueror:3.1:*:*:*:*:*:*:*
    cpe:2.3:a:kde:konqueror:3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:kde:konqueror:3.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:kde:konqueror:3.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:kde:konqueror:3.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:kde:konqueror:3.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:kde:konqueror_embedded:0.1:*:*:*:*:*:*:*
    cpe:2.3:a:kde:konqueror_embedded:0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:analog_real-time_synthesizer:2.1.1-5:*:i386:*:*:*:*:*
    cpe:2.3:a:redhat:analog_real-time_synthesizer:2.1.1-5:*:i386:*:*:*:*:*
  • cpe:2.3:a:redhat:analog_real-time_synthesizer:2.2-11:*:i386:*:*:*:*:*
    cpe:2.3:a:redhat:analog_real-time_synthesizer:2.2-11:*:i386:*:*:*:*:*
  • cpe:2.3:a:redhat:analog_real-time_synthesizer:2.2-11:*:ia64:*:*:*:*:*
    cpe:2.3:a:redhat:analog_real-time_synthesizer:2.2-11:*:ia64:*:*:*:*:*
  • cpe:2.3:a:redhat:kdebase:3.0.3-13:*:i386:*:*:*:*:*
    cpe:2.3:a:redhat:kdebase:3.0.3-13:*:i386:*:*:*:*:*
  • cpe:2.3:a:redhat:kdebase:3.0.3-13:*:i386_dev:*:*:*:*:*
    cpe:2.3:a:redhat:kdebase:3.0.3-13:*:i386_dev:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs:2.1.1-5:*:i386:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs:2.1.1-5:*:i386:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs:2.2-11:*:i386:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs:2.2-11:*:i386:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs:2.2-11:*:ia64:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs:2.2-11:*:ia64:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs:3.0.0-10:*:i386:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs:3.0.0-10:*:i386:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs:3.1-10:*:i386:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs:3.1-10:*:i386:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs_devel:2.1.1-5:*:i386_dev:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs_devel:2.1.1-5:*:i386_dev:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs_devel:2.2-11:*:i386_dev:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs_devel:2.2-11:*:i386_dev:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs_devel:2.2-11:*:ia64_dev:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs_devel:2.2-11:*:ia64_dev:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs_devel:3.0.0-10:*:i386_dev:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs_devel:3.0.0-10:*:i386_dev:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs_devel:3.0.3-8:*:i386_dev:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs_devel:3.0.3-8:*:i386_dev:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs_devel:3.1-10:*:i386_dev:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs_devel:3.1-10:*:i386_dev:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs_sound:2.1.1-5:*:i386_sound:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs_sound:2.1.1-5:*:i386_sound:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs_sound:2.2-11:*:i386_sound:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs_sound:2.2-11:*:i386_sound:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs_sound:2.2-11:*:ia64_sound:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs_sound:2.2-11:*:ia64_sound:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs_sound_devel:2.1.1-5:*:i386_sound_dev:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs_sound_devel:2.1.1-5:*:i386_sound_dev:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs_sound_devel:2.2-11:*:i386_sound_dev:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs_sound_devel:2.2-11:*:i386_sound_dev:*:*:*:*:*
  • cpe:2.3:a:redhat:kdelibs_sound_devel:2.2-11:*:ia64_sound_dev:*:*:*:*:*
    cpe:2.3:a:redhat:kdelibs_sound_devel:2.2-11:*:ia64_sound_dev:*:*:*:*:*
CVSS
Base: 5.0 (as of 11-10-2017 - 01:29)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
oval via4
accepted 2007-04-25T19:52:29.267-04:00
class vulnerability
contributors
  • name Jay Beale
    organization Bastille Linux
  • name Thomas R. Jones
    organization Maitreya Security
description KDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites.
family unix
id oval:org.mitre.oval:def:411
status accepted
submitted 2003-09-04T12:00:00.000-04:00
title KDE Konqueror Userid/Password Disclosure Vulnerability
version 38
redhat via4
advisories
  • rhsa
    id RHSA-2003:235
  • rhsa
    id RHSA-2003:236
refmap via4
bugtraq 20030802 [slackware-security] KDE packages updated (SSA:2003-213-01)
conectiva CLA-2003:747
confirm http://www.kde.org/info/security/advisory-20030729-1.txt
debian DSA-361
fulldisc 20030729 KDE Security Advisory: Konqueror Referrer Authentication Leak
mandrake MDKSA-2003:079
turbo TLSA-2003-45
Last major update 11-10-2017 - 01:29
Published 27-08-2003 - 04:00
Last modified 11-10-2017 - 01:29
Back to Top