xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

KDE Konqueror Sub-Frames脚本执行漏洞


发布时间:2002-09-18
更新时间:2002-09-18
严重程度:
威胁程度:服务器信息泄露
错误类型:设计错误
利用方式:客户机模式

BUGTRAQ ID:5689

受影响系统
KDE KDE 2.2.2
   + Debian Linux 3.0
   + MandrakeSoft Linux Mandrake 8.2
   + MandrakeSoft Linux Mandrake 8.2 ppc
KDE KDE 3.0
   + Conectiva Linux 8.0
KDE KDE 3.0.1
KDE KDE 3.0.2
KDE KDE 3.0.3
KDE Konqueror 2.2.2
KDE Konqueror 3.0
   + KDE KDE 3.0
KDE Konqueror 3.0.1
   + KDE KDE 3.0.1
KDE Konqueror 3.0.2
   + KDE KDE 3.0.2
KDE Konqueror 3.0.3
   + KDE KDE 3.0.3
详细描述
当浏览器窗口打开其他窗口时,如果发现是其他域的情况,安全机制检查需要防止父窗口访问子窗口。

Konqeuror没有很正确的设置sub-frames或者sub-iframes的域,可能导致父窗口在子窗口中设置URL帧或者子帧而不需考虑域,这就导致安全问题, 父窗口可以使脚本在子域中执行。

测试代码


解决方案
升级程序:

KDE KDE 2.2.2:

KDE Upgrade kdelibs-3.0.3a.tar.bz2
http://download.kde.org/stable/3.0.3

KDE Patch post-2.2.2-kdelibs-khtml.diff
ftp://ftp.kde.org/pub/kde/security_patches

Debian Upgrade kdelibs3_2.2.2-13.woody.3_alpha.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.3_alpha.deb

Debian Upgrade kdelibs3_2.2.2-13.woody.3_arm.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.3_arm.deb

Debian Upgrade kdelibs3_2.2.2-13.woody.3_hppa.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.3_hppa.deb

Debian Upgrade kdelibs3_2.2.2-13.woody.3_i386.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.3_i386.deb

Debian Upgrade kdelibs3_2.2.2-13.woody.3_ia64.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.3_ia64.deb

Debian Upgrade kdelibs3_2.2.2-13.woody.3_m68k.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.3_m68k.deb

Debian Upgrade kdelibs3_2.2.2-13.woody.3_mips.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.3_mips.deb

Debian Upgrade kdelibs3_2.2.2-13.woody.3_mipsel.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.3_mipsel.deb

Debian Upgrade kdelibs3_2.2.2-13.woody.3_powerpc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.3_powerpc.deb

Debian Upgrade kdelibs3_2.2.2-13.woody.3_s390.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.3_s390.deb

Debian Upgrade kdelibs3_2.2.2-13.woody.3_sparc.deb
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs3_2.2.2-13.woody.3_sparc.deb

KDE Konqueror 2.2.2:
KDE KDE 3.0:

KDE Upgrade kdelibs-3.0.3a.tar.bz2
http://download.kde.org/stable/3.0.3

KDE Konqueror 3.0:
KDE Konqueror 3.0.1:
KDE KDE 3.0.1:

KDE Upgrade kdelibs-3.0.3a.tar.bz2
http://download.kde.org/stable/3.0.3

KDE Konqueror 3.0.2:
KDE KDE 3.0.2:

KDE Upgrade kdelibs-3.0.3a.tar.bz2
http://download.kde.org/stable/3.0.3

KDE KDE 3.0.3:

KDE Upgrade kdelibs-3.0.3a.tar.bz2
http://download.kde.org/stable/3.0.3

KDE Patch post-3.0.3-kdelibs-khtml.diff
ftp://ftp.kde.org/pub/kde/security_patches

相关信息
KDE Security Advisory.
参考:http://online.securityfocus.com/advisories/4477
http://online.securityfocus.com/archive/1/291330
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved