• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: KDE Konqueror SetInterval Function Address Bar URI Spoofing Vulnerability

Severity: MODERATE

Description:

KDE Konqueror is a browser and file manager for the KDE desktop environment.

The application is prone to URI spoofing vulnerability. This issue occurs because the application fails to sufficiently sanitize user-supplied data. Specifically, this issue occurs when the 'setInterval()' function is called with a small value when setting the value of 'window.location.setproperty'. This will cause the affected browser to remain in the attacker-supplied site, while the victim assumes that they are visiting a trusted site.

The attacker can exploit this issue to display arbitrary content while displaying the URL of a trusted site in the address bar. This may lead to a false sense of trust because the victim may be presented with a source URI of a trusted site while interacting with the attacker's malicious site.

Konqueror 3.5.7 is vulnerable; other versions may also be affected.

Affected Products:

• KDE Konqueror 3.5.5
• KDE Konqueror 3.5.7
• MandrakeSoft Corporate Server 3.0.0
• MandrakeSoft Corporate Server 3.0.0 x86_64
• MandrakeSoft Corporate Server 4.0
• MandrakeSoft Corporate Server 4.0.0 x86_64
• MandrakeSoft Linux Mandrake 2007.0
• MandrakeSoft Linux Mandrake 2007.0 x86_64
• MandrakeSoft Linux Mandrake 2007.1
• MandrakeSoft Linux Mandrake 2007.1 x86_64
• RedHat Desktop 4.0.0
• RedHat Enterprise Linux 5 server
• RedHat Enterprise Linux AS 4
• RedHat Enterprise Linux Desktop 5 client
• RedHat Enterprise Linux Desktop Workstation 5 client
• RedHat Enterprise Linux ES 4
• RedHat Enterprise Linux WS 4
• Slackware Linux 12.0
• SuSE Linux 10.0
• SuSE Linux 10.1
• SuSE SLES 10
• SuSE SLES 8
• SuSE SLES 9
• SuSE openSUSE 10.2
• SuSE openSUSE 10.3
• Ubuntu Ubuntu Linux 5.10.0 amd64
• Ubuntu Ubuntu Linux 5.10.0 i386
• Ubuntu Ubuntu Linux 5.10.0 powerpc
• Ubuntu Ubuntu Linux 5.10.0 sparc
• Ubuntu Ubuntu Linux 6.06 LTS amd64
• Ubuntu Ubuntu Linux 6.06 LTS i386
• Ubuntu Ubuntu Linux 6.06 LTS powerpc
• Ubuntu Ubuntu Linux 6.06 LTS sparc
• Ubuntu Ubuntu Linux 6.10 amd64
• Ubuntu Ubuntu Linux 6.10 i386
• Ubuntu Ubuntu Linux 6.10 powerpc
• Ubuntu Ubuntu Linux 6.10 sparc
• Ubuntu Ubuntu Linux 7.04 amd64
• Ubuntu Ubuntu Linux 7.04 i386
• Ubuntu Ubuntu Linux 7.04 powerpc
• Ubuntu Ubuntu Linux 7.04 sparc
• rPath rPath Linux 1

References:

• KDE: KDE Security Advisory: konqueror address bar spoofing
• KDE: Konqueror Homepage
• Red Hat: RHSA-2007:0905-4 Moderate: kdebase security update

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.