154921 – CVE-2007-6591: konqueror accepts certificates with subjectAltName:dNSName fields, even though these fields cannot be examined

Bug 154921 - CVE-2007-6591: konqueror accepts certificates with subjectAltName:dNSName fields, even though these fields cannot be examined

Summary: CVE-2007-6591: konqueror accepts certificates with subjectAltName:dNSName fie...

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	konqueror
Classification:	Applications
Component:	general (show other bugs)
Version:	3.5
Platform:	unspecified Linux

Importance:	NOR normal
Target Milestone:	---
Assignee:	Konqueror Developers

URL:
Keywords:

Depends on:
Blocks:

Reported:	2008-01-01 12:02 UTC by sf
Modified:	2011-12-23 10:22 UTC (History)
CC List:	4 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description sf 2008-01-01 12:02:42 UTC

Version:           3.5.8 (using KDE 3.5.8, Debian Package 4:3.5.8.dfsg.1-4 (lenny/sid))
Compiler:          Target: i486-linux-gnu
OS:                Linux (x86_64) release 2.6.23-1-amd64

From CVE-2007-6591:
KDE Konqueror 3.5.5 and 3.95.00, when a user accepts an SSL server certificate on the basis of the CN domain name in the DN field, regards the certificate as also accepted for all domain names in subjectAltName:dNSName fields, even though these fields cannot be examined in the product, which makes it easier for remote attackers to trick a user into accepting an invalid certificate for a spoofed web site. 

See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6591 for pointers to more information.

Comment 1 klaatu 2008-05-06 05:48:28 UTC

Completely correct for KDE 3.5.7

But for 4.0.3, after the domain mismatch, https:// pages on the test site given at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6591


Test Case for 4.0.3:
1. go to http://test.eonis.org in konq.  Note the alternate domain names listed here; you will be looking for these in the security certificate in the next steps.

2. click on link for [page 2] on the bottom of the page

3. note certificate warning provides no immediate indication of domain mismatch

4. click DETAILS for more information.  Notice there is no report of domain mismatch

5. accept certificate (for this session only)

6. click on [page 3] link

7. page 3 will not load (is this a safe guard against phishing or is this a malfunction?) and you will be greeted by this message:
An error occurred while loading https://test.eonis.org/:
The process for the https://test.eonis.org protocol died unexpectedly.

Comment 2 Dawit Alemayehu 2011-12-23 02:52:25 UTC

The above test passes just fine for me with KDE 4.7.4. I get the warning message 2x and no error page as stated in comment #1. Please note that the test page seems to be http://test.eonis.net/ and not .org one.

Comment 3 Richard Moore 2011-12-23 10:22:13 UTC

The test certificate seems to have multiple different issues. I agree with the fundamental issue that the cert dialog does not show subjectAltNames, that is definitely a bug. We intentionally accept wildcards in subjectAltNames (as do most browsers). We use the same algorithm as NSS for the actual wildcard handling itself.

Displaying the SAN information has been possible using QSslSocket for ages, so can be implemented in 4.8.x without too much problem. Displaying other certificate extensions has only become possible in Qt 5 (I recently added it).