KDE Konqueror FTP PASV Response Handling Client-Side Port Scanning Vulnerability
A vulnerability has been identified in KDE Konqueror, which could be exploited by attackers to gain knowledge of sensitive information. This issue is due to an error when processing FTP PASV responses, which could be exploited by remote attackers to perform a rudimentary port-scan of systems inside an internal network by tricking a user into connecting to a malicious web page hosted on a specially crafted FTP server.
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Affected Products
KDE Konqueror versions 3.5.x
Solution
The FrSIRT is not aware of any official supplied patch for this issue.
- Login or register to post comments
- Printer-friendly version
- 1619 reads
- PDF version
More in Tux Machines
- Highlights
- Front Page
- Latest Headlines
- Archive
- Recent comments
- All-Time Popular Stories
- Hot Topics
- New Members
digiKam 7.7.0 is releasedAfter three months of active maintenance and another bug triage, the digiKam team is proud to present version 7.7.0 of its open source digital photo manager. See below the list of most important features coming with this release. |
Dilution and Misuse of the "Linux" Brand
|
Samsung, Red Hat to Work on Linux Drivers for Future TechThe metaverse is expected to uproot system design as we know it, and Samsung is one of many hardware vendors re-imagining data center infrastructure in preparation for a parallel 3D world. Samsung is working on new memory technologies that provide faster bandwidth inside hardware for data to travel between CPUs, storage and other computing resources. The company also announced it was partnering with Red Hat to ensure these technologies have Linux compatibility. |
today's howtos
|
FTP rerouting also possible in Opera and Konqueror
The security hole that was closed this week in Firefox, with versions 1.5.0.11 and 2.0.0.3, now also affects the Opera and Konqueror Web browsers. Attackers may be able to exploit the vulnerability to spy on network topology by means of manipulated FTP servers. The FTP command PASV not only allows an alternative port to be sent to the FTP client in the browser for a connection, but also the respective IP address.
Likewise, the developers of Opera also have not responded. The KDE developer team is apparently still discussing how severe the hole is.
Users can implement a workaround: either do not follow any FTP links from your browser, or disable JavaScript support.
More Here.