Version: (using KDE KDE 3.2.3) Installed from: Compiled From Sources Compiler: gcc 3.3 OS: Linux (http://www.heise.de/security/dienste/browsercheck/demos/ie/url-spoof.shtml Konqueror fails in this security test of www.heise.de.
For me (Konqueror 3.2.3) the exploit doesn't work as advertised. Though the vulnerability page[1] is opened, it is opened in a distinct window (not in the same window as the Deutsche Bank page). It says, "Wird sie als eigene Seite angezeigt, können Sie diese Meldung ignorieren." Therefore, I conclude, khtml is not affected -- at least not for certain configurations. [1] https://www.heise.de/security/dienste/browsercheck/demos/ie/verwundbar.html
ATTENTION: This bug is not about Framefishing (http://www.heise.de/security/dienste/browsercheck/demos/ie/frame.shtml) but about URL-Spoofing (http://www.heise.de/security/dienste/browsercheck/demos/ie/url-spoof.shtml)!
Framefishing is Bug 84352: Browser Frame Injection Vulnerability
dammit. I should have checked the bugno before. Sorry for spamming.
to comment #1 the Deutsche Bank did change their online-banking site. just click on a button within the linked page and try the link on heise again. on the initial Deutsche Bank site there are no frames any more. it seems the Deutsche Bank wasn't happy for beeing used as security-hole example. regards, marcel
heise has refurbished their check for this (see link above). konqueror is still vulnerable.
Am Tuesday 12 October 2004 02:02 schrieb Jakob Schröter: > heise has refurbished their check for this (see link above). konqueror is still vulnerable. Well, heise is a bit too paranoid here. You could put everything on a button label and still it's the user's fault to believe it. If the button label wouldn't say it's directing to microsoft.com, nothing would. And the link right to the button is really directing to microsoft.com Greetings, Stephan
The problem is that when you move your mouse to the right of the button and then move to the left across the button, the status bar indicates microsoft.com while you are over the button, it shouldn't do that. Note that this doesn't happen when you move your mouse upwards of the button and then move down across the button. The problem is basically that KHTMLPart::khtmlMouseMoveEvent doesn't get called while we move over the button.
And khtmlMouseMoveEvent doesn't get called because HTMLGenericFormElementImpl::defaultEventHandler sets evt->setDefaultHandled() for form elements.
Tobias Anton commented: I'm missing a design document here, too, but maybe this patch helps: Index: khtmlview.cpp =================================================================== RCS file: /home/kde/kdelibs/khtml/khtmlview.cpp,v retrieving revision 1.689 diff -u -3 -p -r1.689 khtmlview.cpp --- khtmlview.cpp 2 Feb 2005 20:27:21 -0000 1.689 +++ khtmlview.cpp 7 Feb 2005 17:16:39 -0000 @@ -2733,7 +2733,7 @@ bool KHTMLView::dispatchMouseEvent(int e button,0, _mouse, dblclick ); me->ref(); targetNode->dispatchEvent(me,exceptioncode,true); - if (me->defaultHandled() || me->defaultPrevented()) + if (me->defaultPrevented()) swallowEvent = true; me->deref();
Re #10: This patch does make an interesting difference but actually makes the problem worse, because the mouse-move handling of the KPart consistently sets the statusbar according to the href in the <A> link instead of clearing it for the button.
Created attachment 9475 [details] khtml_widget_mouseover.patch Patch to reset the HoverText when hovering over a button or other form widget, please review. Note that with javascript enabled it continues to be possible to do onMouseOver='window.status="http://www.microsoft.com"'
CVS commit by waba: Reset statusbar when hovering over form elements. BUG: 83407 M +14 -8 khtml_part.cpp 1.1089 M +2 -1 khtml_part.h 1.278 M +1 -0 rendering/render_replaced.cpp 1.182 --- kdelibs/khtml/khtml_part.cpp #1.1088:1.1089 @@ -3506,4 +3506,16 @@ void KHTMLPart::slotClearSelection() } +void KHTMLPart::resetHoverText() +{ + if( !d->m_overURL.isEmpty() ) // Only if we were showing a link + { + d->m_overURL = d->m_overURLTarget = QString::null; + emit onURL( QString::null ); + // revert to default statusbar text + setStatusBarText(QString::null, BarHoverText); + emit d->m_extension->mouseOverInfo(0); + } +} + void KHTMLPart::overURL( const QString &url, const QString &target, bool /*shiftPressed*/ ) { @@ -6241,12 +6253,6 @@ void KHTMLPart::khtmlMouseMoveEvent( kht else // Not over a link... { - if( !d->m_overURL.isEmpty() ) // and we were over a link -> reset to "default statusbar text" - { - d->m_overURL = d->m_overURLTarget = QString::null; - emit onURL( QString::null ); - // revert to default statusbar text - setStatusBarText(QString::null, BarHoverText); - emit d->m_extension->mouseOverInfo(0); - } + // reset to "default statusbar text" + resetHoverText(); } } --- kdelibs/khtml/khtml_part.h #1.277:1.278 @@ -1495,4 +1495,5 @@ private: void stopAutoScroll(); void overURL( const QString &url, const QString &target, bool shiftPressed = false ); + void resetHoverText(); // Undo overURL and reset HoverText bool processObjectRequest( khtml::ChildFrame *child, const KURL &url, const QString &mimetype ); --- kdelibs/khtml/rendering/render_replaced.cpp #1.181:1.182 @@ -781,4 +781,5 @@ bool RenderWidget::handleEvent(const DOM QEvent moe( QEvent::Enter ); QApplication::sendEvent(m_widget, &moe); + view()->part()->resetHoverText(); break; }