From: Tim Brown <tmb@65535.com>
To: Tomas Hoger <thoger@redhat.com>
Subject: Re: [oss-security]  CVE request - asterisk, python-markdown, jetty, kde
Date: Sat, 31 Oct 2009 20:50:46 +0000
User-Agent: KMail/1.9.9
References: <hccd44$uli$1@ger.gmane.org> <200910301050.54101.tmb@65535.com> <20091031204237.7ff7d34b@redhat.com>
In-Reply-To: <20091031204237.7ff7d34b@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200910312050.53440.tmb@65535.com>

On Saturday 31 October 2009 19:42:37 Tomas Hoger wrote:
> Hi Tim!
>
> On Fri, 30 Oct 2009 10:50:52 +0000 Tim Brown <tmb@65535.com> wrote:
> > * pydoc:<html><body><script>alert('xss')</script></body></html> -
> > fixed in 3.5.10
> > * man:<script src="http://server/test.js"> - fixed in 3.5.10
> > * help:<script>alert('xss')</script>
> > * info:/dir/<script>alert('xss')</script>
> > * perldoc:<body onLoad="javascript:alert(1)">
> > * help:/../../../../../../../../../../../etc/passwd
> >
> > (As we make clear in our advisory, the exploitation of these requires
> > user participation which significantly reduces their effectiveness).

The issues were originally written up in 2007 as part of a paper I circulated 
to KDE.  Since at the time they were deep in to KDE4 development they didn't 
have the resources to fix them at that time (although Trolltech fixed 
CVE-2007-3388 which was also mentioned in said paper).   The fact that 
individual cases were fixed is probably down to reports by others 
independently (http://sla.ckers.org/forum/read.php?3,14265 was a public 
report of the unfixed info XSS by another researcher for example).  The patch 
for man appears to be 
http://websvn.kde.org/branches/KDE/3.5/kdebase/kioslave/man/kio_man.cpp?revision=669003&view=markup 
but I'm not sure about pydoc (I didn't test my PoC on all point releases but 
simply noticed that they'd been fixed when I was updating the paper around 
the time of .10).

*snip*

> > Kind of, Kmail respects the MIME type on the email attachment.  So
> > you can get into situations where a user might click on a file they
> > percieve is harmless (a .txt file for example) and still Konqueror
> > will be loaded (my advisory is as much about the attachment spoofing
> > itself as the payload).
>
> Thanks, understood.
>
> > Ark by contrast used the KHTML widget for /unknown/ file types.
>
> During the discussions with KDE upstream, has it been proposed to
> disable java script in Ark previews completely (as in e.g. kmail
> previews)?  I don't see a good reason why it should be needed.

I recall it was discussed, I'm not sure what the outcome was (other than the 
fact that the change wasn't made).  I actually discussed it with Aaron Seigo 
at the time of the original paper he threw up the idea of a separate IO slave 
for temporary files but this was well before I turned to oCERT having lost 
faith that KDE were managing the problems I had reported.

> > Only the fact that the oCERT advisory is vague and I'm not in a
> > position to officially release our advisories myself.  We have a
> > responsible disclosure policy and whilst I wrote these advisories,
> > day to day liason with vendors is carried out by others within
> > Portcullis as part of that process.  They are aware that oCERT have
> > published and I would expect our advisories in the coming days.
>
> Ok, thanks for clarifying!

Not a problem, if you're okay with it, maybe I could relay these private 
emails to oss-security as soon as our advisories are up?  Not verbatim, but 
quoting the crucial technical bits (I don't see any value in dumping politics 
on to the the list).

Tim
-- 
Tim Brown
<mailto:tmb@65535.com>