bugtraq August 2007 archive
Main Archive Page > Month Archives  > bugtraq archives
bugtraq: Konqueror: URL address bar spoofing vulnerabilities

Konqueror: URL address bar spoofing vulnerabilities

From: Robert Swiecki <jagger_at_nospam>
Date: Mon Aug 06 2007 - 21:44:15 GMT
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk

There are vulnerabilities in Konqueror that allow an attacker to spoof the URL adddress bar.

The first example uses setInterval() call with relatively small interval value (e.g. 0) to change window.location property. A browser is entrapped within the attacking web site while the user thinks that browser actually left the page.

http://alt.swiecki.net/konq2.html

The very similar problem affects Apple Safari (3.0.3) but due to recent changes in Safari code (vide
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2398 ) it's a lot harder to conduct a successful attack - URL address bat content changes so frequently so the attack is revealed to the user (variants of attack are currently under investigation).

The second one is based on the http URI scheme which allows embedding user/password parameters into it, i.e. http://user:password@domain.com. Such parameters can contain whitespaces, so the attack vector is quite obvious.

http://alt.swiecki.net/konq3.html

Tested with Konqueror 3.5.7 on Linux 2.6

The snapshot from my dekstop:
http://alt.swiecki.net/konq3.png -- Robert Swiecki