• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: KDE Konqueror KHTML Library Title Cross Site Scripting Vulnerability

Severity: MODERATE

Description:

Konquerer is a web browser included in the KDE desktop environment.

The application is prone to a cross-site scripting vulnerability because the KHTML library fails to sufficiently sanitize user-supplied data from HTML 'title' tags.

To successfully exploit this issue, an attacker must locate a site vulnerable to an HTML-injection issue. This will allow the attacker to embed HTML and script code data without properly escaping this data. Then, by enticing victims into visiting this site, script code will be executed via the 'title' tag, bypassing certain cross-site security-protection schemes.

An attacker could exploit this issue to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

All versions of KDE up to and including KDE 3.5.6 are vulnerable to this issue. Apple Safari web browser is also vulnerable to this issue.

Affected Products:

• Apple Mac OS X 10.2.0
• Apple Mac OS X 10.2.1
• Apple Mac OS X 10.2.2
• Apple Mac OS X 10.2.3
• Apple Mac OS X 10.2.4
• Apple Mac OS X 10.2.5
• Apple Mac OS X 10.2.6
• Apple Mac OS X 10.2.7
• Apple Mac OS X 10.2.8
• Apple Mac OS X 10.3.0
• Apple Mac OS X 10.3.1
• Apple Mac OS X 10.3.2
• Apple Mac OS X 10.3.3
• Apple Mac OS X 10.3.4
• Apple Mac OS X 10.3.5
• Apple Mac OS X 10.3.6
• Apple Mac OS X 10.3.7
• Apple Mac OS X 10.3.8
• Apple Mac OS X 10.3.9
• Apple Mac OS X 10.4.0
• Apple Mac OS X 10.4.1
• Apple Mac OS X 10.4.10
• Apple Mac OS X 10.4.2
• Apple Mac OS X 10.4.3
• Apple Mac OS X 10.4.4
• Apple Mac OS X 10.4.5
• Apple Mac OS X 10.4.6
• Apple Mac OS X 10.4.7
• Apple Mac OS X 10.4.8
• Apple Mac OS X 10.4.9
• Apple Mac OS X Server 10.2.0
• Apple Mac OS X Server 10.2.1
• Apple Mac OS X Server 10.2.2
• Apple Mac OS X Server 10.2.3
• Apple Mac OS X Server 10.2.4
• Apple Mac OS X Server 10.2.5
• Apple Mac OS X Server 10.2.6
• Apple Mac OS X Server 10.2.7
• Apple Mac OS X Server 10.2.8
• Apple Mac OS X Server 10.3.0
• Apple Mac OS X Server 10.3.1
• Apple Mac OS X Server 10.3.2
• Apple Mac OS X Server 10.3.3
• Apple Mac OS X Server 10.3.4
• Apple Mac OS X Server 10.3.5
• Apple Mac OS X Server 10.3.6
• Apple Mac OS X Server 10.3.7
• Apple Mac OS X Server 10.3.8
• Apple Mac OS X Server 10.3.9
• Apple Mac OS X Server 10.4.0
• Apple Mac OS X Server 10.4.1
• Apple Mac OS X Server 10.4.10
• Apple Mac OS X Server 10.4.2
• Apple Mac OS X Server 10.4.3
• Apple Mac OS X Server 10.4.4
• Apple Mac OS X Server 10.4.5
• Apple Mac OS X Server 10.4.6
• Apple Mac OS X Server 10.4.7
• Apple Mac OS X Server 10.4.8
• Apple Mac OS X Server 10.4.9
• Apple Mobile Safari
• Apple Safari 1.0.0
• Apple Safari 1.1.0
• Apple Safari 1.2.0
• Apple Safari 1.2.1
• Apple Safari 1.2.2
• Apple Safari 1.2.3
• Apple Safari 1.3.0
• Apple Safari 1.3.1
• Apple Safari 2.0.1
• Apple Safari 2.0.2
• Apple Safari 2.0.3
• Apple Safari 2.0.4
• Apple Safari Beta 2
• Apple Safari RSS 2.0.0 pre-release
• Caldera OpenLinux 2.3.0
• Caldera OpenLinux Server 3.1.0
• Caldera OpenLinux Server 3.1.1
• Caldera OpenLinux Workstation 3.1.0
• Caldera OpenLinux Workstation 3.1.1
• Conectiva Linux 6.0.0
• Conectiva Linux 7.0.0
• Conectiva Linux 8.0.0
• Conectiva Linux 9.0.0
• Conectiva Linux Enterprise Edition 1.0.0
• Debian Linux 2.2.0
• Debian Linux 2.2.0 68k
• Debian Linux 2.2.0 IA-32
• Debian Linux 2.2.0 alpha
• Debian Linux 2.2.0 arm
• Debian Linux 2.2.0 powerpc
• Debian Linux 2.2.0 sparc
• Debian Linux 3.0.0
• Debian Linux 3.0.0 alpha
• Debian Linux 3.0.0 arm
• Debian Linux 3.0.0 hppa
• Debian Linux 3.0.0 ia-32
• Debian Linux 3.0.0 ia-64
• Debian Linux 3.0.0 m68k
• Debian Linux 3.0.0 mips
• Debian Linux 3.0.0 mipsel
• Debian Linux 3.0.0 ppc
• Debian Linux 3.0.0 s/390
• Debian Linux 3.0.0 sparc
• Debian Linux 3.1.0
• Debian Linux 3.1.0 alpha
• Debian Linux 3.1.0 amd64
• Debian Linux 3.1.0 arm
• Debian Linux 3.1.0 hppa
• Debian Linux 3.1.0 ia-32
• Debian Linux 3.1.0 ia-64
• Debian Linux 3.1.0 m68k
• Debian Linux 3.1.0 mips
• Debian Linux 3.1.0 mipsel
• Debian Linux 3.1.0 ppc
• Debian Linux 3.1.0 s/390
• Debian Linux 3.1.0 sparc
• FreeBSD FreeBSD 4.7.0 -STABLE
• Gentoo Linux
• Gentoo Linux 1.2.0
• Gentoo Linux 1.4.0 _rc1
• KDE KDE 1.1.0
• KDE KDE 1.1.1
• KDE KDE 1.1.2
• KDE KDE 1.2.0
• KDE KDE 2.0.0
• KDE KDE 2.0.0 BETA
• KDE KDE 2.0.1
• KDE KDE 2.1.0
• KDE KDE 2.1.1
• KDE KDE 2.1.2
• KDE KDE 2.2.0
• KDE KDE 2.2.1
• KDE KDE 2.2.2
• KDE KDE 3.0.0
• KDE KDE 3.0.1
• KDE KDE 3.0.2
• KDE KDE 3.0.3
• KDE KDE 3.0.3 a
• KDE KDE 3.0.4
• KDE KDE 3.0.5
• KDE KDE 3.0.5 a
• KDE KDE 3.0.5 b
• KDE KDE 3.1.0
• KDE KDE 3.1.1
• KDE KDE 3.1.1 a
• KDE KDE 3.1.2
• KDE KDE 3.1.3
• KDE KDE 3.1.4
• KDE KDE 3.1.5
• KDE KDE 3.2.0
• KDE KDE 3.2.1
• KDE KDE 3.2.2
• KDE KDE 3.2.3
• KDE KDE 3.3.0
• KDE KDE 3.3.1
• KDE KDE 3.3.2
• KDE KDE 3.3.2
• KDE KDE 3.4.0
• KDE KDE 3.4.0
• KDE KDE 3.4.1
• KDE KDE 3.4.2
• KDE KDE 3.4.3
• KDE KDE 3.5.0
• KDE KDE 3.5.1
• KDE KDE 3.5.2
• KDE KDE 3.5.3
• KDE KDE 3.5.4
• KDE KDE 3.5.5
• KDE KDE 3.5.6
• KDE Konqueror 2.1.1
• KDE Konqueror 2.1.2
• KDE Konqueror 2.2.1
• KDE Konqueror 2.2.2
• KDE Konqueror 3.0.0
• KDE Konqueror 3.0.1
• KDE Konqueror 3.0.2
• KDE Konqueror 3.0.3
• KDE Konqueror 3.0.5
• KDE Konqueror 3.0.5 b
• KDE Konqueror 3.1.0
• KDE Konqueror 3.1.1
• KDE Konqueror 3.1.2
• KDE Konqueror 3.1.3
• KDE Konqueror 3.1.4
• KDE Konqueror 3.1.5
• KDE Konqueror 3.2.1
• KDE Konqueror 3.2.2 -6
• KDE Konqueror 3.2.3
• KDE Konqueror 3.3.0
• KDE Konqueror 3.3.1
• KDE Konqueror 3.3.2
• KDE Konqueror 3.5.1
• KDE Konqueror 3.5.2
• KDE Libkhtml 4.2.0
• KDE kdelibs 2.0.0
• KDE kdelibs 2.0.1
• KDE kdelibs 2.1.0
• KDE kdelibs 2.1.1
• KDE kdelibs 2.1.2
• KDE kdelibs 3.0.0
• KDE kdelibs 3.1.0
• KDE kdelibs 3.1.1
• KDE kdelibs 3.1.2
• KDE kdelibs 3.1.3
• KDE kdelibs 3.1.4
• KDE kdelibs 3.1.5
• KDE kdelibs 3.2.0
• KDE kdelibs 3.2.1
• KDE kdelibs 3.2.2
• KDE kdelibs 3.3.0
• KDE kdelibs 3.3.1
• KDE kdelibs 3.3.2
• KDE kdelibs 3.4.0
• KDE kdelibs 3.4.2
• KDE kdelibs 3.4.3
• KDE kdelibs 3.5.2
• KDE kdelibs 3.5.4
• Linux kernel 2.6.5
• MandrakeSoft Corporate Server 2.1.0
• MandrakeSoft Corporate Server 3.0.0
• MandrakeSoft Corporate Server 3.0.0 x86_64
• MandrakeSoft Corporate Server 4.0
• MandrakeSoft Corporate Server 4.0.0 x86_64
• MandrakeSoft Linux Mandrake 10.0.0
• MandrakeSoft Linux Mandrake 10.0.0 amd64
• MandrakeSoft Linux Mandrake 10.1.0
• MandrakeSoft Linux Mandrake 10.1.0 x86_64
• MandrakeSoft Linux Mandrake 2007.0
• MandrakeSoft Linux Mandrake 2007.0 x86_64
• MandrakeSoft Linux Mandrake 2007.1
• MandrakeSoft Linux Mandrake 2007.1 x86_64
• MandrakeSoft Linux Mandrake 7.0.0
• MandrakeSoft Linux Mandrake 8.1.0
• MandrakeSoft Linux Mandrake 8.1.0 ia64
• MandrakeSoft Linux Mandrake 8.2.0
• MandrakeSoft Linux Mandrake 8.2.0 ppc
• MandrakeSoft Linux Mandrake 9.0.0
• MandrakeSoft Linux Mandrake 9.1.0
• MandrakeSoft Linux Mandrake 9.1.0 ppc
• MandrakeSoft Linux Mandrake 9.2.0
• MandrakeSoft Linux Mandrake 9.2.0 amd64
• Pardus Linux 2007.1
• RedHat Advanced Workstation for the Itanium Processor 2.1.0
• RedHat Desktop 3.0.0
• RedHat Desktop 4.0.0
• RedHat Enterprise Linux AS 2.1
• RedHat Enterprise Linux AS 2.1 IA64
• RedHat Enterprise Linux AS 3
• RedHat Enterprise Linux AS 4
• RedHat Enterprise Linux Desktop version 4
• RedHat Enterprise Linux ES 2.1
• RedHat Enterprise Linux ES 2.1 IA64
• RedHat Enterprise Linux ES 3
• RedHat Enterprise Linux ES 4
• RedHat Enterprise Linux WS 2.1
• RedHat Enterprise Linux WS 2.1 IA64
• RedHat Enterprise Linux WS 3
• RedHat Enterprise Linux WS 4
• RedHat Fedora Core2
• RedHat Fedora Core3
• RedHat Fedora Core4
• RedHat Linux 7.1.0 i386
• RedHat Linux 7.2.0 i386
• RedHat Linux 7.2.0 ia64
• RedHat Linux 7.3.0 i386
• RedHat Linux 8.0.0 i386
• RedHat Linux 9.0.0 i386
• RedHat Linux Advanced Work Station 2.1.0
• S.u.S.E. Linux 10.0 ppc
• S.u.S.E. Linux 10.0 x86
• S.u.S.E. Linux 10.0 x86-64
• S.u.S.E. Linux 10.1 ppc
• S.u.S.E. Linux 10.1 x86
• S.u.S.E. Linux 10.1 x86-64
• S.u.S.E. Linux 8.1.0
• S.u.S.E. Linux Database Server
• S.u.S.E. Linux Desktop 1.0.0
• S.u.S.E. Linux Desktop 10
• S.u.S.E. Linux Enterprise SDK 10
• S.u.S.E. Linux Enterprise Server 10
• S.u.S.E. Linux Enterprise Server 9
• S.u.S.E. Linux Enterprise Server 9-SP3
• S.u.S.E. Linux Enterprise Server SDK 9
• S.u.S.E. Linux Enterprise Server for S/390
• S.u.S.E. Linux Enterprise Server for S/390 9.0.0
• S.u.S.E. Linux Office Server
• S.u.S.E. Linux Openexchange Server
• S.u.S.E. Linux Personal 10.0.0 OSS
• S.u.S.E. Linux Personal 10.1
• S.u.S.E. Linux Personal 10.2
• S.u.S.E. Linux Personal 10.2 x86_64
• S.u.S.E. Linux Personal 8.2.0
• S.u.S.E. Linux Professional 10.0.0
• S.u.S.E. Linux Professional 10.0.0 OSS
• S.u.S.E. Linux Professional 10.1
• S.u.S.E. Linux Professional 10.2
• S.u.S.E. Linux Professional 10.2 x86_64
• S.u.S.E. Novell Linux Desktop 1.0.0
• S.u.S.E. Novell Linux Desktop 9
• S.u.S.E. Novell Linux Desktop 9.0.0
• S.u.S.E. Novell Linux POS 9
• S.u.S.E. Office Server
• S.u.S.E. Open-Enterprise-Server
• S.u.S.E. Open-Enterprise-Server 1
• S.u.S.E. Open-Enterprise-Server 9.0.0
• S.u.S.E. SLE SDK 10
• S.u.S.E. SLE SDK 9
• S.u.S.E. SUSE CORE 9 for x86
• S.u.S.E. SUSE LINUX Retail Solution 8.0.0
• S.u.S.E. SUSE Linux Enterprise Desktop 10
• S.u.S.E. SUSE Linux Enterprise Server 10
• S.u.S.E. SUSE Linux Enterprise Server 9 SP3
• S.u.S.E. SuSE Linux Open-Xchange 4.1.0
• S.u.S.E. SuSE Linux Openexchange Server 4.0.0
• S.u.S.E. SuSE Linux School Server for i386
• S.u.S.E. SuSE Linux Standard Server 8.0.0
• S.u.S.E. UnitedLinux 1.0.0
• S.u.S.E. openSUSE 10.2
• Sun Linux 5.0.5
• Sun Linux 5.0.6
• Sun Linux 5.0.7
• Turbolinux FUJI
• Turbolinux Home
• Turbolinux Turbolinux 10 F...
• Turbolinux Turbolinux Desktop 10.0.0
• Turbolinux Turbolinux FUJI
• Turbolinux Turbolinux Server 10.0.0
• Turbolinux Turbolinux Server 10.0.0 x64
• Turbolinux Turbolinux Server 7.0.0
• Turbolinux Turbolinux Server 8.0.0
• Turbolinux Turbolinux Workstation 7.0.0
• Turbolinux Turbolinux Workstation 8.0.0
• Ubuntu Ubuntu Linux 5.10.0 amd64
• Ubuntu Ubuntu Linux 5.10.0 i386
• Ubuntu Ubuntu Linux 5.10.0 powerpc
• Ubuntu Ubuntu Linux 5.10.0 sparc
• Ubuntu Ubuntu Linux 6.06 LTS amd64
• Ubuntu Ubuntu Linux 6.06 LTS i386
• Ubuntu Ubuntu Linux 6.06 LTS powerpc
• Ubuntu Ubuntu Linux 6.06 LTS sparc
• Ubuntu Ubuntu Linux 6.10 amd64
• Ubuntu Ubuntu Linux 6.10 i386
• Ubuntu Ubuntu Linux 6.10 powerpc
• Ubuntu Ubuntu Linux 6.10 sparc
• rPath rPath Linux 1

References:

• Apple: Safari Homepage
• KDE: KDE Home Page
• KDE: KDE Security Advisory: khtml/konqueror title XSS vulnerability
• Konqueror: Konqueror Homepage
• Robert Tasarz: Re: Safari Improperly Parses HTML Documents & BlogSpot XSS vulnerability

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.