Bug 94867 - [testcase] No warning for fake links using username and password field of URL
Summary: [testcase] No warning for fake links using username and password field of URL
Status: RESOLVED FIXED
Alias: None
Product: kio
Classification: Frameworks and Libraries
Component: http (show other bugs)
Version: 0.1
Platform: Gentoo Packages Linux
: HI normal
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-10 23:57 UTC by samuele
Modified: 2011-06-20 17:49 UTC (History)
6 users (show)

See Also:
Latest Commit:
Version Fixed In: 4.6.5


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description samuele 2004-12-10 23:57:50 UTC
Version:            (using KDE KDE 3.3.1)
Installed from:    Gentoo Packages
Compiler:          gcc3.3.4 
OS:                Linux

why konqueror don't warn if you click on the follow link:

<A HREF="http://www.microsoft.com&item=q209354@3522684105/">http://www.microsoft.com&item=q209354@3522684105/</A>

if the site isn't of the Microsoft. I know that konqueror remove the part before "@", it would have to inform that the site is not that just one (as FireFox).

Another example:

<A HREF="http://www.microsoft.com&item=q209354%40a%74t%69v%69s%73i%6Do%2En%65t/b/q01704.htm">http://www.microsoft.com&item=q209354%40a%74t%69v%69s%73i%6Do%2En%65t/b/q01704.htmhtm </A>

Thank you to www.attivissimo.net

bye
Comment 1 samuele 2004-12-11 18:12:01 UTC
sorry, but the links are not viewed as i write in the form :-(.
The examples are shown here:

http://www.attivissimo.net/security/fakesites/fakesites.htm

the site is in italian (sorry).
The problem seems that konqueror remove the part before " at " in the link. So he point to 3522684105, the decimal conversion of the hidden IP site.
I propose to add a warning in this case.
bye,
sam
Comment 2 Martin Fabian Hohenberg 2005-12-02 20:33:45 UTC
Erm, this is still valid in 3.5.0, and in fact, a major security issue for the technically-challanged. I suppose to use some url input line coloring (pink?) in cases a username has been submitted like this.
Comment 3 Dirk Stoecker 2006-08-21 23:29:40 UTC
Still valid in 3.5.4.
Comment 4 Jure Repinc 2008-04-06 18:44:12 UTC
I'm using Konqueror 4 (trunk 794088) and if I understand this right there is no change in behavior and the bug is still valid. I got no warning clicking on links at at the Italian site.
Comment 5 David Faure 2010-10-15 23:16:44 UTC
Indeed firefox shows a warning on the link shown in the email body on http://www.attivissimo.net/security/fakesites/fakesites.htm:

You are about to log in to the site "www.playboy.com" with the username "www%2Emicrosoft%2Ecom&item%3Dq209354rexsddiuyjkiuylkuryt2583453453fsesfsdfsfasfdfdsf", but the website does not require authentication. This may be an attempt to trick you.
Is "www.playboy.com" the site you want to visit?

We should probably do the same. I wonder how we can detect the "does not require auth" case, this sounds like it needs code in kio_http...

Also, aren't there websites which work (but differently) with and without auth? Not sure; I know this is possible with FTP, but maybe not with HTTP.
Comment 6 Samuel Brack 2011-01-04 23:08:44 UTC
Seems still to be an issue in 4.5.4, updating version.
Comment 7 Dawit Alemayehu 2011-05-26 07:00:33 UTC
Git commit 3bbd4496bc8a01e80df61763bfd0347e8ba7f09a by Dawit Alemayehu.
Committed on 25/05/2011 at 19:58.
Pushed by adawit into branch 'master'.

Show a security warning when a URL includes a bogus username intended to fool
users into visiting sites they had no intention of visiting.

Note: new string.

BUG: 94867
FIXED-IN: 4.7.0
REVIEW: 101440
CCMAIL: kde-i18n-doc@kde.org

M  +21   -0    kioslave/http/http.cpp     

http://commits.kde.org/kdelibs/3bbd4496bc8a01e80df61763bfd0347e8ba7f09a
Comment 8 Dawit Alemayehu 2011-06-15 06:24:15 UTC
Git commit 2d860223665e7881ec728ed7b1d76f77006b2f9d by Dawit Alemayehu.
Committed on 25/05/2011 at 19:58.
Pushed by adawit into branch 'KDE/4.6'.

SECURITY FIX BACKPORT:
Show a security warning when a URL includes a bogus username intended to fool
users into visiting sites they had no intention of visiting.

Note: new string.

BUG: 94867
FIXED-IN: 4.6.5

(cherry picked from commit 3bbd4496bc8a01e80df61763bfd0347e8ba7f09a)

M  +21   -0    kioslave/http/http.cpp     

http://commits.kde.org/kdelibs/2d860223665e7881ec728ed7b1d76f77006b2f9d
Comment 9 Ingo Ratsdorf 2011-06-19 12:49:30 UTC
Well guys,

that warning should at least be able to be disabled by the user.
I have akonadi-davgroupware-resource running in Akonadi and every 10 minutes I have to click on "ok" about 8 times. Sorry, but that sucks.

There are also other reports about similar issues:
http://kde-look.org/content/show.php?content=101229#c409131

My groupware server (egroupware 1.9.10) definitely needs a login and afaik it is provided, but only at the second attempt of any connection.

Can't use groupware, calendar, carddav anymore.
Please get this sorted ASAP.
Comment 10 Ingo Ratsdorf 2011-06-19 13:12:35 UTC
BTW, I do not think that this patch works at all.

I send a request:
-----------------
PROPFIND /groupdav.php/family-group/addressbook/ HTTP/1.1
Host: groupware.envirology.co.nz
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; Konqueror/4.6; Linux) KHTML/4.6.3 (like Gecko) Kubuntu
Pragma: no-cache
Cache-control: no-cache
Accept: text/html, image/jpeg;q=0.9, image/png;q=0.9, text/*;q=0.9, image/*;q=0.9, */*;q=0.8
Accept-Encoding: x-gzip, x-deflate, gzip, deflate
Accept-Charset: utf-8, utf-8;q=0.5, *;q=0.5
Accept-Language: en-US,en;q=0.9
Content-Type: text/xml
Depth: 1
Content-Length: 243

The server answers with:
------------------------
HTTP/1.1 401 Unauthorized
Date: Sun, 19 Jun 2011 11:01:01 GMT
Server: Apache
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
WWW-Authenticate: Basic realm="EGroupware CalDAV/CardDAV/GroupDAV server-10466"
X-WebDAV-Status: 401 Unauthorized
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 92
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: text/html

So far, Kio::HTTP is happy

The client now knows it has to send the auth info to get to that data:
----------------------------------------------------------------------
PROPFIND /groupdav.php/family-group/addressbook/ HTTP/1.1
Host: groupware.envirology.co.nz
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (compatible; Konqueror/4.6; Linux) KHTML/4.6.3 (like Gecko) Kubuntu
Pragma: no-cache
Cache-control: no-cache
Accept: text/html, image/jpeg;q=0.9, image/png;q=0.9, text/*;q=0.9, image/*;q=0.9, */*;q=0.8
Accept-Encoding: x-gzip, x-deflate, gzip, deflate
Accept-Charset: utf-8, utf-8;q=0.5, *;q=0.5
Accept-Language: en-US,en;q=0.9
Content-Type: text/xml
Depth: 1
Authorization: Basic xxxxxxxxxxxxxxxxxxxxxxx
Content-Length: 243

And the server answers with the data, quite correctly:
------------------------------------------------------
HTTP/1.1 207 Multi-Status
Date: Sun, 19 Jun 2011 11:01:02 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Dav-Powered-By: EGroupware 1.9.011 CalDAV/CardDAV/GroupDAV server
X-WebDAV-Status: 207 Multi-Status
DAV: 1, 2, access-control, calendar-access, addressbook
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1355
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: text/xml; charset="utf-8"

AND HERE Kio::HTTP complains, because the user auth info is set, but of course the response is neither 401 nor 407, but 207 for a valid and successful MULTISTATUS (just example).

I believe on reasonable grounds that the patch does NOT work and it will break all webdav and groupdav functionality.
Comment 11 Dawit Alemayehu 2011-06-19 16:34:13 UTC
Git commit c21ab4d337240dee22dbdc5aad3be038cb01bf15 by Dawit Alemayehu.
Committed on 19/06/2011 at 16:30.
Pushed by adawit into branch 'KDE/4.6'.

Do not show the spoofed warning box when a username is in the URL, but the
request has already been preemtively authenticated. This should address the
last use case that was not accounted for.

CCBUG: 94867

M  +10   -4    kioslave/http/http.cpp     

http://commits.kde.org/kdelibs/c21ab4d337240dee22dbdc5aad3be038cb01bf15
Comment 12 Dawit Alemayehu 2011-06-19 16:34:53 UTC
Git commit 80e1df8a7281dadaa3122888acd5c1f0bc74ad43 by Dawit Alemayehu.
Committed on 19/06/2011 at 16:30.
Pushed by adawit into branch 'master'.

Do not show the spoofed warning box when a username is in the URL, but the
request has already been preemtively authenticated. This should address the
last use case that was not accounted for.

CCBUG: 94867

(cherry picked from commit c21ab4d337240dee22dbdc5aad3be038cb01bf15)

M  +10   -4    kioslave/http/http.cpp     

http://commits.kde.org/kdelibs/80e1df8a7281dadaa3122888acd5c1f0bc74ad43
Comment 13 Dawit Alemayehu 2011-06-20 17:49:22 UTC
Git commit dc65a754549970101c0cceb65d3b3677fd7d3fc3 by Dawit Alemayehu.
Committed on 18/06/2011 at 20:23.
Pushed by adawit into branch 'master'.

Do not wait until an ioslave is finished to update other ioslaves with the
internal meta-data information it sent. Otherwise, the internal meta-data
might not be available to newly created ioslaves.

Note that this commit is only a partial improvement over commit e2d0995 and
is required to make the address spoofing security warning in kio_http work
properly for all kdewebkit based browsers.

CCBUG: 94867

M  +7    -0    kio/kio/job.cpp     
M  +26   -14   kio/kio/scheduler.cpp     
M  +7    -0    kio/kio/scheduler.h     

http://commits.kde.org/kdelibs/dc65a754549970101c0cceb65d3b3677fd7d3fc3
Comment 14 Dawit Alemayehu 2011-06-20 17:49:36 UTC
Git commit f5ff6a74142d3855b88c4bbccf504a04db21a67d by Dawit Alemayehu.
Committed on 18/06/2011 at 20:23.
Pushed by adawit into branch 'KDE/4.6'.

Do not wait until an ioslave is finished to update other ioslaves with the
internal meta-data information it sent. Otherwise, the internal meta-data
might not be available to newly created ioslaves.

Note that this improves commit e2d099586cd29cbae87ef3c4dddba6881153859b and
is required to make the address spoofing security warning in kio_http work
properly for all kdewebkit based browsers.

CCBUG: 94867

(cherry picked from commit c76097820a11d6e7015c8395f704d79386edbde1)

M  +7    -0    kio/kio/job.cpp     
M  +26   -14   kio/kio/scheduler.cpp     
M  +7    -0    kio/kio/scheduler.h     

http://commits.kde.org/kdelibs/f5ff6a74142d3855b88c4bbccf504a04db21a67d