Executive Summary
| Summary | |
|---|---|
| Title | New kdelibs fix cross site scripting bug |
| Informations | |||
|---|---|---|---|
| Name | DSA-167 | First vendor Publication | 2002-09-16 |
| Vendor | Debian | Last vendor Modification | 2002-09-16 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| A cross site scripting problem has been discovered in Konquerer, a famous browser for KDE and other programs using KHTML. The KDE team reports that Konqueror's cross site scripting protection fails to initialize the domains on sub-(i)frames correctly. As a result, Javascript is able to access any foreign subframe which is defined in the HTML source. Users of Konqueror and other KDE software that uses the KHTML rendering engine may become victim of a cookie stealing and other cross site scripting attacks. This problem has been fixed in version 2.2.2-13.woody.3 for the current stable distribution (woody) and in version 2.2.2-14 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it didn't ship KDE. We recommend that you upgrade your kdelibs package and restart Konquerer. wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody |
Original Source
| Url : http://www.debian.org/security/2002/dsa-167 |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 5 | |
| Os | 5 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 167-1 (Konquerer) File : nvt/deb_167_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 7867 | KDE Konqueror Sub-Frame XSS Konqueror contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the domains on sub-frames and sub-iframes. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-167.nasl - Type : ACT_GATHER_INFO |
| 2004-07-31 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2002-064.nasl - Type : ACT_GATHER_INFO |
| 2004-07-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2002-221.nasl - Type : ACT_GATHER_INFO |
| 2004-07-06 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2003-003.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:28:00 |
|
