Vigil@nce - KDE: password displayed in KIO Slave HTTP error messages
May 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can trigger a network error, so that KDE displays
an error message containing the password used by the HTTP KIO
Slave.
– Impacted products: Unix (platform)
– Severity: 1/4
– Creation date: 13/05/2013
DESCRIPTION OF THE VULNERABILITY
The HTTP KIO Slave processes HTTP sessions in background.
When a network error occurs, the kioslave/http/http.cpp file calls
m_request.url.url() to generate the error message. However, this
url can contain the password required to access to the resource
(http://user:password@server/).
A local attacker can therefore trigger a network error, so that
KDE displays an error message containing the password used by the
HTTP KIO Slave.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/KDE-password-displayed-in-KIO-Slave-HTTP-error-messages-12770