From kfm-devel Sat Aug 25 18:03:33 2001 From: George Staikos Date: Sat, 25 Aug 2001 18:03:33 +0000 To: kfm-devel Subject: security vulnerability in konqueror X-MARC-Message: https://marc.info/?l=kfm-devel&m=99876294700641 I am away on vacation and didn't see any talk on the lists about this so I want to bring this up again. There is a rather bad security hole in Konqueror. Remote documents and http should only be allowed to redirect to http://, ftp://, news:// and mailto:. (perhaps I missed one?) Right now it's easy to redirect to rio://, floppy://, audiocd://, pop3://, smtp://, lan://, nfs://, etc. This introduces all kinds of issues. Dialogs could prompt for passwords which would be sent off to remote hosts without the user understanding what is really going on. For instance, files could be erased from personal devices. We don't know what kind of ioslaves people will write in the future too. There should be tight restrictions on what is allowed for clickable links, java[script] and redirect urls. -- George Staikos