[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: security vulnerability in konqueror
From: George Staikos <staikos () kde ! org>
Date: 2001-08-25 18:03:33
[Download RAW message or body]
I am away on vacation and didn't see any talk on the lists about this so I
want to bring this up again. There is a rather bad security hole in
Konqueror. Remote documents and http should only be allowed to redirect to
http://, ftp://, news:// and mailto:. (perhaps I missed one?) Right now
it's easy to redirect to rio://, floppy://, audiocd://, pop3://, smtp://,
lan://, nfs://, etc. This introduces all kinds of issues. Dialogs could
prompt for passwords which would be sent off to remote hosts without the user
understanding what is really going on. For instance, files could be erased
from personal devices. We don't know what kind of ioslaves people will write
in the future too. There should be tight restrictions on what is allowed for
clickable links, java[script] and redirect urls.
--
George Staikos
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic