English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.50352
Category:Fedora Local Security Checks
Title:Fedora Core 1 FEDORA-2004-290 (kdelibs)
Summary:NOSUMMARY
Description:Description:

The remote host is missing an update to kdelibs
announced via advisory FEDORA-2004-290.

Libraries for the K Desktop Environment:
KDE Libraries included: kdecore (KDE core library), kdeui (user interface),
kfm (file manager), khtmlw (HTML widget), kio (Input/Output, networking),
kspell (spelling checker), jscript (javascript), kab (addressbook),
kimgio (image manipulation).

Update Information:

Andrew Tuitt reported that versions of KDE up to and including 3.2.3 create
temporary directories with predictable names. A local attacker could
prevent KDE applications from functioning correctly, or overwrite files
owned by other users by creating malicious symlinks. The Common
Vulnerabilities and Exposures project has assigned the name CVE-2004-0689
to this issue.

WESTPOINT internet reconnaissance services has discovered that the KDE web
browser Konqueror allows websites to set cookies for certain country
specific secondary top level domains. An attacker within one of the
affected domains could construct a cookie which would be sent to all other
websites within the domain leading to a session fixation attack. This
issue does not affect popular domains such as .co.uk, .co.in, or .com. The
Common Vulnerabilities and Exposures project has assigned the name
CVE-2004-0721 to this issue.

A frame injection spoofing vulnerability has been discovered in the
Konqueror web browser. This issue could allow a malicious website to show
arbitrary content in a named frame of a different browser window. The
Common Vulnerabilities and Exposures project has assigned the name
CVE-2004-0746 to this issue.

All users of KDE are advised to upgrade to these erratum packages,
which contain backported patches from the KDE team for these issues.

* Wed Sep 01 2004 Than Ngo 6:3.1.4-7

- Konqueror Frame Injection Vulnerability CVE-2004-0721
- Konqueror Cross-Domain Cookie Injection CVE-2004-0746

* Wed Jul 28 2004 Than Ngo 6:3.1.4-6

- temporary directory vulnerability, CVE-2004-0689

This update can be downloaded from:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/

008938cbdcd2153b84d2dda1cbcbf887 SRPMS/kdelibs-3.1.4-7.src.rpm
eb7ea45f4d74c1445336bcef9761f02f x86_64/kdelibs-3.1.4-7.x86_64.rpm
09e622613f98b001d548815e0e8a8a1e x86_64/kdelibs-devel-3.1.4-7.x86_64.rpm
5b239bdfa7ccadb00fe6eca14b4c0593 x86_64/debug/kdelibs-debuginfo-3.1.4-7.x86_64.rpm
61cef6ddcc8a103f0aae6d7c8a31e224 i386/kdelibs-3.1.4-7.i386.rpm
987c650d14f71dc848cce75f8bf4dc3a i386/kdelibs-devel-3.1.4-7.i386.rpm
b2831db469e778da7a7d4073d6cb5517 i386/debug/kdelibs-debuginfo-3.1.4-7.i386.rpm

This update can also be installed with the Update Agent
you can
launch the Update Agent with the 'up2date' command.


Solution: Apply the appropriate updates.
http://www.fedoranews.org/updates/FEDORA-2004-290.shtml

Risk factor : High

CVSS Score:
7.5

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2004-0689
Bugtraq: 20040811 KDE Security Advisories: Temporary File and Konqueror Frame Injection Vulnerabilities (Google Search)
http://marc.info/?l=bugtraq&m=109225538901170&w=2
Conectiva Linux advisory: CLA-2004:864
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000864
Debian Security Information: DSA-539 (Google Search)
http://www.debian.org/security/2004/dsa-539
http://security.gentoo.org/glsa/glsa-200408-13.xml
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9334
http://secunia.com/advisories/12276/
XForce ISS Database: kde-application-symlink(16963)
https://exchange.xforce.ibmcloud.com/vulnerabilities/16963
Common Vulnerability Exposure (CVE) ID: CVE-2004-0721
http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11371
http://secunia.com/advisories/11978
XForce ISS Database: http-frame-spoof(1598)
https://exchange.xforce.ibmcloud.com/vulnerabilities/1598
Common Vulnerability Exposure (CVE) ID: CVE-2004-0746
BugTraq ID: 10991
http://www.securityfocus.com/bid/10991
Bugtraq: 20040823 KDE Security Advisory: Konqueror Cross-Domain Cookie Injection (Google Search)
http://marc.info/?l=bugtraq&m=109327681304401&w=2
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:086
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11281
http://secunia.com/advisories/12341
XForce ISS Database: kde-konqueror-cookie-set(17063)
https://exchange.xforce.ibmcloud.com/vulnerabilities/17063
CopyrightCopyright (c) 2005 E-Soft Inc. http://www.securityspace.com

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.