Konqueror contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the domains on sub-frames and sub-iframes. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Classification
Location:
Remote/Network Access Required
Attack Type:
Input Manipulation
Impact:
Loss of Integrity
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
OSVDB:
Web Related
Technical
Konqueror's cross Site scripting protection fails to initialize the domains on sub-(i)frames correctly. As a result, Javascript can access any foreign subframe which is defined in the HTML source.
Users of Konqueror and other KDE software that uses the KHTML rendering engine may fall victim of a cookie stealing and other cross site scripting attacks.
Solution
KDE has released a patch to address this vulnerability. It is possible to correct the flaw by implementing the following workaround: disable Javascript or cookies.
siedziba.pl -