Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce - KDE: certificate spoofing via KSSL and Rekonq

October 2011 by Vigil@nce

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

An attacker can use an X.509 certificate with a malicious Common
Name, in order to deceive the victim who uses KSSL or Rekonq.

Severity: 1/4

Creation date: 03/10/2011

IMPACTED PRODUCTS

 Unix - plateform

DESCRIPTION OF THE VULNERABILITY

The Qt graphic library uses QLabel objects, in order to display a
text area.

The text format is defined in the enum Qt::TextFormat :
 Qt::PlainText : raw text
 Qt::RichText : complex text (table, frame, list, etc.)
 Qt::AutoText : autodetection of PlainText or RichText
By default, QLabel uses the Qt::AutoText format, so it analyzes
the content to detect how to display it.

The KSSL class and the Rekonq browser use a QLabel to display the
Common Name of an X.509 certificate. However, the AutoText default
format is used (instead of PlainText). If the Common Name contains
a table as RichText, its second line is then displayed above the
field.

An attacker can therefore use an X.509 certificate with a
malicious Common Name, in order to deceive the victim who uses
KSSL or Rekonq.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/KDE-certificate-spoofing-via-KSSL-and-Rekonq-11028


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts