[26938] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
Re: MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable

daemon@ATHENA.MIT.EDU (Dirk Mueller)
Fri Sep 6 19:33:28 2002

Date: Sat, 7 Sep 2002 01:07:39 +0200
From: Dirk Mueller <mueller@kde.org>
To: Piotr Paw?ow <pp@siedziba.pl>
Message-ID: <20020906230738.GA27764@matrix.wg>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="OwLcNYc0lM97+oe1"
Content-Disposition: inline
In-Reply-To: <200209061625.47296@siedziba.pl>

--OwLcNYc0lM97+oe1
Content-Type: multipart/mixed; boundary="5vNYLRcllDrimb99"
Content-Disposition: inline


--5vNYLRcllDrimb99
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fre, 06 Sep 2002, Piotr Paw?ow wrote:

> Test page for Konqueror is at:
> http://pp.siedziba.pl/2f/

This is actually not related to the % encoding problem in IE, but a general=
=20
regression that was introduced in KDE 3.0.3 release.=20

Below is the fix which has been tested and committed to CVS already.=20

Note that this is a fairly minor problem, as the evilhacker can always=20
create a subdomain like yahoo.evilhacker.net and proxy the yahoo pages=20
there, and all browsers will give access to the frames in this case.=20

Note that in any case the "wrong" url is still visible in the location bar=
=20
so it should be obvious that although it looks like yahoo, it isn't=20
yahoo at all.=20


--=20
Dirk

--5vNYLRcllDrimb99
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="crosside-3.0.diff"
Content-Transfer-Encoding: quoted-printable

Index: khtml_part.cpp
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/kde/kdelibs/khtml/khtml_part.cpp,v
retrieving revision 1.684.2.9
diff -u -5 -d -p -r1.684.2.9 khtml_part.cpp
--- khtml_part.cpp	2002/06/21 13:52:09	1.684.2.9
+++ khtml_part.cpp	2002/09/06 21:41:20
@@ -1577,11 +1577,11 @@ void KHTMLPart::checkEmitLoadEvent()
       {
         KHTMLPart* htmlFrame =3D static_cast<KHTMLPart *>(p);
         if (htmlFrame->d->m_doc && htmlFrame->d->m_doc->isHTMLDocument() )
         {
           kdDebug() << "KHTMLPart::checkCompleted setting frame domain to =
" << domain.string() << endl;
-          static_cast<HTMLDocumentImpl*>(htmlFrame->d->m_doc)->setDomain( =
domain, true );
+          static_cast<HTMLDocumentImpl*>(htmlFrame->d->m_doc)->setDomain( =
domain );
         }
       }
     }
   }
=20
Index: ecma/kjs_window.cpp
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/kde/kdelibs/khtml/ecma/kjs_window.cpp,v
retrieving revision 1.254.2.7
diff -u -5 -d -p -r1.254.2.7 kjs_window.cpp
--- ecma/kjs_window.cpp	2002/08/09 13:40:39	1.254.2.7
+++ ecma/kjs_window.cpp	2002/09/06 21:41:21
@@ -895,11 +895,11 @@ bool Window::isSafeScript(ExecState *exe
     kdDebug(6070) << "Window::isSafeScript: active part has no document!" =
<< endl;
     return false;
   }
   DOM::DOMString actDomain =3D actDocument.domain();
   DOM::DOMString thisDomain =3D thisDocument.domain();
-  //kdDebug(6070) << "current domain:" << actDomain.string() << ", frame d=
omain:" << thisDomain.string() << endl;
+
   if ( actDomain =3D=3D thisDomain )
     return true;
=20
   kdWarning(6070) << "Javascript: access denied for current frame '" << ac=
tDomain.string() << "' to frame '" << thisDomain.string() << "'" << endl;
   return false;
@@ -1164,11 +1164,11 @@ Value WindowFunc::tryCall(ExecState *exe
           khtmlpart->begin();
           khtmlpart->write("<HTML><BODY>");
           khtmlpart->end();
           if ( part->docImpl() ) {
             kdDebug(6070) << "Setting domain to " << part->docImpl()->doma=
in().string() << endl;
-            khtmlpart->docImpl()->setDomain( part->docImpl()->domain(), tr=
ue );
+            khtmlpart->docImpl()->setDomain( part->docImpl()->domain());
             khtmlpart->docImpl()->setBaseURL( part->docImpl()->baseURL() );
           }
         }
         uargs.serviceType =3D QString::null;
         if (uargs.frameName =3D=3D "_blank")
Index: html/html_documentimpl.cpp
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/kde/kdelibs/khtml/html/html_documentimpl.cpp,v
retrieving revision 1.139.2.1
diff -u -5 -d -p -r1.139.2.1 html_documentimpl.cpp
--- html/html_documentimpl.cpp	2002/06/17 18:33:37	1.139.2.1
+++ html/html_documentimpl.cpp	2002/09/06 21:41:23
@@ -93,31 +93,31 @@ DOMString HTMLDocumentImpl::domain() con
     if ( m_domain.isEmpty() ) // not set yet (we set it on demand to save =
time and space)
         m_domain =3D KURL(URL()).host(); // Initially set to the host
     return m_domain;
 }
=20
-void HTMLDocumentImpl::setDomain(const DOMString &newDomain, bool force /*=
=3Dfalse*/)
+void HTMLDocumentImpl::setDomain(const DOMString &newDomain)
 {
-    if ( force ) {
-        m_domain =3D newDomain;
-        return;
-    }
     if ( m_domain.isEmpty() ) // not set yet (we set it on demand to save =
time and space)
-        m_domain =3D KURL(URL()).host(); // Initially set to the host
+        m_domain =3D KURL(URL()).host().lower(); // Initially set to the h=
ost
+
+    if ( m_domain.isEmpty() /*&& view() && view()->part()->openedByJS()*/ )
+        m_domain =3D newDomain.lower();
=20
     // Both NS and IE specify that changing the domain is only allowed when
     // the new domain is a suffix of the old domain.
     int oldLength =3D m_domain.length();
     int newLength =3D newDomain.length();
     if ( newLength < oldLength ) // e.g. newDomain=3Dkde.org (7) and m_dom=
ain=3Dwww.kde.org (11)
     {
         DOMString test =3D m_domain.copy();
+        DOMString reference =3D newDomain.lower();
         if ( test[oldLength - newLength - 1] =3D=3D '.' ) // Check that it=
's a subdomain, not e.g. "de.org"
         {
             test.remove( 0, oldLength - newLength ); // now test is "kde.o=
rg" from m_domain
-            if ( test =3D=3D newDomain )                 // and we check t=
hat it's the same thing as newDomain
-                m_domain =3D newDomain;
+            if ( test =3D=3D reference )                 // and we check t=
hat it's the same thing as newDomain
+                m_domain =3D reference;
         }
     }
 }
=20
 DOMString HTMLDocumentImpl::lastModified() const
@@ -129,20 +129,20 @@ DOMString HTMLDocumentImpl::lastModified
=20
 DOMString HTMLDocumentImpl::cookie() const
 {
     long windowId =3D 0;
     KHTMLView *v =3D view ();
-   =20
+
     if ( v && v->topLevelWidget() )
       windowId =3D v->topLevelWidget()->winId();
=20
     QCString replyType;
     QByteArray params, reply;
     QDataStream stream(params, IO_WriteOnly);
     stream << URL() << windowId;
     if (!kapp->dcopClient()->call("kcookiejar", "kcookiejar",
-                                  "findDOMCookies(QString, int)", params,=
=20
+                                  "findDOMCookies(QString, int)", params,
                                   replyType, reply)) {
          // Maybe it wasn't running (e.g. we're opening local html files)
          KApplication::startServiceByDesktopName( "kcookiejar");
          if (!kapp->dcopClient()->call("kcookiejar", "kcookiejar",
                                        "findDOMCookies(QString)", params, =
replyType, reply)) {
@@ -165,14 +165,14 @@ DOMString HTMLDocumentImpl::cookie() con
=20
 void HTMLDocumentImpl::setCookie( const DOMString & value )
 {
     long windowId =3D 0;
     KHTMLView *v =3D view ();
-   =20
+
     if ( v && v->topLevelWidget() )
       windowId =3D v->topLevelWidget()->winId();
-    =20
+
     QByteArray params;
     QDataStream stream(params, IO_WriteOnly);
     QString fake_header("Set-Cookie: ");
     fake_header.append(value.string());
     fake_header.append("\n");
Index: html/html_documentimpl.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
RCS file: /home/kde/kdelibs/khtml/html/html_documentimpl.h,v
retrieving revision 1.64
diff -u -5 -d -p -r1.64 html_documentimpl.h
--- html/html_documentimpl.h	2002/02/04 03:40:48	1.64
+++ html/html_documentimpl.h	2002/09/06 21:41:23
@@ -53,11 +53,11 @@ public:
=20
     virtual bool isHTMLDocument() const { return true; }
=20
     DOMString referrer() const;
     DOMString domain() const;
-    void setDomain( const DOMString &newDomain, bool force =3D false ); //=
 not part of the DOM
+    void setDomain( const DOMString &newDomain ); // not part of the DOM
     DOMString lastModified() const;
     DOMString cookie() const;
     void setCookie( const DOMString &);
=20
     HTMLElementImpl *body();

--5vNYLRcllDrimb99--

--OwLcNYc0lM97+oe1
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9eTU6vsXr+iuy1UoRAsaSAKDRXNi6CQ8eQh0fff0l5tSzDmXxnACgivw7
5qkUTMEKpa6ty2TEPkf86/s=
=0P6S
-----END PGP SIGNATURE-----

--OwLcNYc0lM97+oe1--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[26938] in bugtraq

Re: MSIEv6 % encoding - Konqueror 3.0.3 also vulnerable

daemon@ATHENA.MIT.EDU (Dirk Mueller)Fri Sep 6 19:33:28 2002

daemon@ATHENA.MIT.EDU (Dirk Mueller)
Fri Sep 6 19:33:28 2002
