M-124: Konqueror Secure Cookie Vulnerability Privacy and Legal Notice

CIAC INFORMATION BULLETIN

M-124: Konqueror Secure Cookie Vulnerability

[KDE Security Advisory]

 September 11, 2002 20:00 GMT
PROBLEM: Konqueror fails to detect the "secure" flag in HTTP cookies and as a result may send secure cookies back to the originating site over an unencrypted network connection.
PLATFORM: Konqueror in KDE 3.0, KDE 3.0.1 and KDE 3.0.2.
DAMAGE: Sessions could be hijacked or accounts compromised.
SOLUTION: Upgrade to KDE 3.0.3 or apply patch.
VULNERABILITY
ASSESSMENT:		 The risk is MEDIUM. An attacker eavesdropping on the unencrypted network could obtain information that could lead to a session hijack or compromised account.
LINKS:  
  CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-124.shtml
  ORIGINAL BULLETIN: http://www.kde.org/info/security/advisory-20020908-1.txt
  PATCHES: ftp://ftp.kde.org/pub/kde/security_patches 
[***** Start KDE Security Advisory *****]


KDE Security Advisory: Secure Cookie Vulnerability
Original Release Date: 2002-09-08
URL: http://www.kde.org/info/security/advisory-20020908-1.txt

0. References
	None.

1. Systems affected:
	Konqueror in KDE 3.0, KDE 3.0.1 and KDE 3.0.2. 
	KDE 2.2.2 and KDE 3.0.3 are NOT affected.

2. Overview:
	Konqueror fails to detect the "secure" flag in HTTP cookies and as 
	a result may send secure cookies back to the originating site over 
	an unencrypted network connection. 
      
3. Impact:
	A secure session that relies solely on secure cookies for 
	identifying the session can possibly be hijacked, or an account 
	which relies solely on secure cookies for logging on may be 
        compromised, by an attacker who manages to eavesdrop on the 
	unencrypted network connection.

4. Solution:
	Upgrade to KDE 3.0.3 in which this problem is fixed or apply the
	patch below.

5. Patch:
        A patch for KDE 3.0, KDE 3.0.1 and KDE 3.0.2 is available from 
	ftp://ftp.kde.org/pub/kde/security_patches :

	1abff4a02381b5ca11273d02c6a5c6ca  post-3.0-kdelibs-kcookiejar.diff


[***** End KDE Security Advisory *****]
CIAC wishes to acknowledge the contributions of KDE for the information contained in this bulletin.
DOE-CIRC can be contacted at: 
    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/