Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 10 May 2013 20:18:01 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Vincent Danen <vdanen@...hat.com>
Subject: Re: CVE request: password exposure in kdelibs when
 showing "internal server error" messages

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/10/2013 03:28 PM, Vincent Danen wrote:
> I've not seen this yet; could a CVE be assigned to the following
> issue?
> 
> It was reported that when KDE encounters an "internal server
> error" and also prints out the URL that caused the error that it
> would include the username and password (if supplied) to the
> resource that caused the error.  For instance, it would show 
> "https://user:password@...otehost.com" or similar.  This is due to 
> kioslave/http/http.cpp using m_request.url.url() rather than the 
> sanitized m_request.url.prettyUrl().  This issue is fixed in git.
> 
> Note that this information is printed out to the local user
> actively using the computer.
> 
> References:
> 
> https://bugs.kde.org/show_bug.cgi?id=319428 
> https://projects.kde.org/projects/kde/kdelibs/repository/revisions/65d736dab592bced4410ccfa4699de89f78c96ca/diff/kioslave/http/http.cpp
>
>  https://bugs.mageia.org/show_bug.cgi?id=10037 
> https://bugzilla.redhat.com/show_bug.cgi?id=961981
> 
> 

Please use CVE-2013-2074 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRjapZAAoJEBYNRVNeJnmTMSoQAKX07giXr7vCKkYmdqU5Yt4c
vLW9McS7aGUQSHaqryf5KlBcI8UouzOozicZhC9ixf0tekkMZym26tLW9+1Y71+h
FKevk4cizXVcYDtArXmbQqn4VZOfioxFTyjycADM5kpoTEK2l9GbN/GcGsyHu6+L
IzOUFLG8nKeP2uzahWZ1wbrjoK6Y0MtBg4FdK7F8qO1A5n2B7eWGCQnrbQYgOcYE
trPVR7MElJ+5LnTwft9gUcyaur0cwp6NnHOESM9jlA8ZWenOl4SMJ15NrBa4PLbh
fXNBkUBMjyXhqOoRNCFEanQA7923yZ8oUnRq+sw99ZAx8SyEEyea2GezCbCuUonA
XWC2JDN7nJJDgCCkTbuLvhG6lZ+tNM4DNK13mH+RiPBYZ53Y7pMRLDN6dax6ThxQ
69FgnxkNvv22A6IYzCP1DISD3tlXciJ7tbIfi1v65NnuixSqofeVCwAaP1ZtZ5So
7vmZPXYNP0/8kr5f3ntyy0YgZZXgJ/xRXWLUQ3abIWji2osS61sfyxSRL4tknexd
EwhzbIv9BdQEQiMvzvO6CbEV9b9Q7bf7QcpXjevqH2nt/SghoV89lz6PzvdcQacc
oFXbVJsVZfV5StJG8T8FFdBAZxoTI3/ZeChaE9WPcIJKg2LZJNqlxFRBOQixyvmN
m6DpYYFKzTIEYEVj9Shz
=9j9m
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ