exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Rekonq 0.5 Cross Site Scripting

Rekonq 0.5 Cross Site Scripting
Posted Aug 19, 2010
Authored by Tim Brown | Site nth-dimension.org.uk

The Rekonq web browser is vulnerable to Javascript injection in a number of components of the user interface. Depending on the exact component affected this can lead to Javascript being executed in a number of contexts which in the worst case could allow an arbitrary web site to be spoofed or even for the Javascript to be executed in the context of an arbitrary context.

tags | exploit, web, arbitrary, spoof, javascript
SHA-256 | b604a1d5db6b3f8fe6875b468e0971c8b0a5c62c937984575dbb59a86d78a575

Rekonq 0.5 Cross Site Scripting

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nth Dimension Security Advisory (NDSA20100818)
Date: 18th August 2010
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: Rekonq 0.5 <http://rekonq.sourceforge.net/>
Vendor: Andrea Diamantini <http://www.adjam.org/>
Risk: Medium

Summary

The Rekonq web browser is vulnerable to Javascript injection in a number
of components of the user interface. Depending on the exact component
affected this can lead to Javascript being executed in a number of contexts
which in the worst case could allow an arbitrary web site to be spoofed
or even for the Javascript to be executed in the context of an arbitrary
context.

Whilst initially, Nth Dimension had no intention to publish this advisory
the increasing prominence of the project lead to a reevaluation of this
decision. After discussions with the vendor, Nth Dimension approached
the oss-security[1] mailing list to request a CVE reference for this
vulnerability. Josh Bressers of Redhat assigned CVE-2010-2536 to this
vulnerability.

Technical Details

Rekonq 0.4 is affected by Javascript injection which allows universal
XSS. Opening a fresh instance of Rekonq and entering the following URL
causes the Javascript to be executed in the context of the requested
domain:

http://thisdomainwillnotresolveandrekonqerrorpagewillbeshownwithfullurlembedded.twitter.com/"><script>alert(document.cookie)</script>

Since Rekonq fails to resolve the hostname it will then will display an
error message. The error message output by Rekonq includes the full URL,
including the <script> tags. Since Rekonq see that the requested URL is
part of *.twitter.com and since twitter.com sets wildcard domain'd cookies,
the error page will be able to access any cookies that have been set.
Note that this is not unique to twitter.com, cookies can be stolen for any
site that sets wildcard domain'd cookies.

Furthermore, in Rekonq 0.4 Javascript can also be injected into the
favourites, bookmarks, closed tabs and history user interface components in
similar fashion since these two are constructed as HTML which is then
rendered by Rekonq.

Finally, whilst these issues are partially resolved in Rekonq 0.5,
pages can still be spoofed. For example, by entering:

https://wwwmail.google.com/"><script>document.body.innerHTML='<h1>Welcome to Google.com</h1>Username: <input type="username" name="text">Password: <input type="password" name="password"><input type="submit" value="Submit">'</script>

into the URL bar and hit enter. As with Rekonq 0.4, the full URL submitted
is used as part of the error page for the "Try again" button. Whilst the
cookies for the domain can no longer be accessed it is still possible to
spoof legitimate looking URLs.

Solutions

Nth Dimension recommends that the vendor supplied patches should be applied.

History

On 5th December 2009, the vendor was notified and an issue[2] was opened on
KDE's bug tracker to track the vulnerability referencing the then current
release of Rekonq which was 0.4.

Further testing identified that Qt's demo browser was also affected along
with KDE's kwebkitpart. Following this, Dawit Alemayehu of KDE patched[3]
the affected component within KDE.

The vulnerability was confirmed by the Rekonq developers on the 7th
December 2009 and an interim patch was applied. Nth Dimension notified
the Rekonq developers that they were unable to confirm that the patch
was effective but that they had found additional components of Rekonq
that were also affected.

Nth Dimension resolved to test the patch as soon as a new release was
available for the effected platform on which the bug had first been identified.

Eventually, on the 14th July 2010, Nth Dimension were able to retest the
applied patch on Rekonq 0.5. It was identified that whilst the vulnerability
had been partially resolved, that a new vector had been identified

On the 21st July 2010, Nth Dimension contacted oss-security to request a
CVE for this vulnerability. Josh Bressers immediately replied, assigning
CVE-2010-2536.

Following the assigment of a CVE for this issue, Eelko Berkenpies provided
a patch[4] to resolve the outstanding symptoms of the vulnerability which was
applied by Andrea Diamantini on the 2nd August 2010.

Current

As of the 2nd August 2010, the state of the vulnerabilities is believed to
be as follows:

| | 0.4 | 0.5 |
| Javascript injection into error page | | |
| Access to cookies from invalid domains | | Fixed |
| Javascript injection into bookmarks, history etc | | Fixed |

A patch has been applied to the upstream git repository which it is believed
successfully mitigates the final symptoms of this vulnerability.

Thanks

Nth Dimension would like to thank Dawit Alemayehu of KDE, Andrea Diamantini
of Rekonq and Eelko Berkenpies for the way they worked to resolve the issue.

[1] http://www.openwall.com/lists/oss-security/2010/07/21/3
[2] https://bugs.kde.org/show_bug.cgi?id=217464
[3] http://websvn.kde.org/?view=rev&revision=1059140
[4] https://bugs.kde.org/attachment.cgi?id=49437
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMa6hvAAoJEPJhpTVyySo78uoP/3tDA8IJa/yJR4rqyJ/5RATn
EqfbakIFKoiAhedurTTuuVCO2fBSMlmSCGg7KBrXIzZp6BLWrKQt8IBx1ZYbDAXH
9KGqjqgHejLMluEtKglCEXTzvJwluC1PB/fCRo8zGNeRKPL8+33aCxk+DKsGUwHe
rPMhGt9aOjkw9Fi6Yh17n6ERbOr4RHOalFOjdW/KC8wDT19DumgEH17vcK/H4YNq
87Z3iO6Sthy/hMvUiY5dhfR9gOqV8PQi1ecqQr1Uh9BV+5HO0QNaPrtrCMOa192r
3HLR5XZjPRM1ailCWMBy4szis7nKcDQ4F4ns9qPUY2Mlb/GB8Gzrzh9Kdg4YctSF
wjZp8qO2H3ZUqUAA1gtf39cZV0NHrlIp3M9P417eX1j0h1Ph5FYuJaEqn1Ml5GZy
R/AjieKFOwGOd1OabgJnxYQUWnkpfJf/OGXyjr9QxvmNgCJXxfyjrIIFhz4azWPr
OZFA3UPUgIOOAdeeBE/Gn0vXGQF421+o0bT9tN36WKr8W4wAozW7vToibjrvi1Oz
/jrYyYljrY/QhgSToNStydYe+M+9HaQzIEdvEsOPq5YVnypePvVbd1fuWJlqVzX4
Tx+DpH0l8x1pkywftZNpgp3kkxSYiFN3iD1fVvVc7B8J48ovPDBHwwcCyHAjY+TW
HEdkFOyBrpOBttSZyAjm
=qoWc
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close