[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kfm-devel
Subject:    security vulnerability in konqueror
From:       George Staikos <staikos () kde ! org>
Date:       2001-08-25 18:03:33
[Download RAW message or body]


I am away on vacation and didn't see any talk on the lists about this so I 
want to bring this up again.  There is a rather bad security hole in 
Konqueror.  Remote documents and http should only be allowed to redirect to 
http://, ftp://, news:// and mailto:.  (perhaps I missed one?)  Right now 
it's easy to redirect to rio://, floppy://, audiocd://, pop3://, smtp://, 
lan://, nfs://, etc.  This introduces all kinds of issues.  Dialogs could 
prompt for passwords which would be sent off to remote hosts without the user 
understanding what is really going on.  For instance, files could be erased 
from personal devices.  We don't know what kind of ioslaves people will write 
in the future too.  There should be tight restrictions on what is allowed for 
clickable links, java[script] and redirect urls.

-- 

George Staikos

[prev in list] [next in list] [prev in thread] [next in thread]