| Summary: | [testcase] No warning for fake links using username and password field of URL | ||
|---|---|---|---|
| Product: | [Unmaintained] kio | Reporter: | samuele <silverfox> |
| Component: | http | Assignee: | Konqueror Developers <konq-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | adawit, ahartmetz, faure, ingo, maksim, samuel.brack |
| Priority: | HI | ||
| Version: | 0.1 | ||
| Target Milestone: | --- | ||
| Platform: | Gentoo Packages | ||
| OS: | Linux | ||
| Latest Commit: | Version Fixed In: | 4.6.5 | |
| Sentry Crash Report: | |||
|
Description
samuele
2004-12-10 23:57:50 UTC
sorry, but the links are not viewed as i write in the form :-(. The examples are shown here: http://www.attivissimo.net/security/fakesites/fakesites.htm the site is in italian (sorry). The problem seems that konqueror remove the part before " at " in the link. So he point to 3522684105, the decimal conversion of the hidden IP site. I propose to add a warning in this case. bye, sam Erm, this is still valid in 3.5.0, and in fact, a major security issue for the technically-challanged. I suppose to use some url input line coloring (pink?) in cases a username has been submitted like this. Still valid in 3.5.4. I'm using Konqueror 4 (trunk 794088) and if I understand this right there is no change in behavior and the bug is still valid. I got no warning clicking on links at at the Italian site. Indeed firefox shows a warning on the link shown in the email body on http://www.attivissimo.net/security/fakesites/fakesites.htm: You are about to log in to the site "www.playboy.com" with the username "www%2Emicrosoft%2Ecom&item%3Dq209354rexsddiuyjkiuylkuryt2583453453fsesfsdfsfasfdfdsf", but the website does not require authentication. This may be an attempt to trick you. Is "www.playboy.com" the site you want to visit? We should probably do the same. I wonder how we can detect the "does not require auth" case, this sounds like it needs code in kio_http... Also, aren't there websites which work (but differently) with and without auth? Not sure; I know this is possible with FTP, but maybe not with HTTP. Seems still to be an issue in 4.5.4, updating version. Git commit 3bbd4496bc8a01e80df61763bfd0347e8ba7f09a by Dawit Alemayehu. Committed on 25/05/2011 at 19:58. Pushed by adawit into branch 'master'. Show a security warning when a URL includes a bogus username intended to fool users into visiting sites they had no intention of visiting. Note: new string. BUG: 94867 FIXED-IN: 4.7.0 REVIEW: 101440 CCMAIL: kde-i18n-doc@kde.org M +21 -0 kioslave/http/http.cpp http://commits.kde.org/kdelibs/3bbd4496bc8a01e80df61763bfd0347e8ba7f09a Git commit 2d860223665e7881ec728ed7b1d76f77006b2f9d by Dawit Alemayehu. Committed on 25/05/2011 at 19:58. Pushed by adawit into branch 'KDE/4.6'. SECURITY FIX BACKPORT: Show a security warning when a URL includes a bogus username intended to fool users into visiting sites they had no intention of visiting. Note: new string. BUG: 94867 FIXED-IN: 4.6.5 (cherry picked from commit 3bbd4496bc8a01e80df61763bfd0347e8ba7f09a) M +21 -0 kioslave/http/http.cpp http://commits.kde.org/kdelibs/2d860223665e7881ec728ed7b1d76f77006b2f9d Well guys, that warning should at least be able to be disabled by the user. I have akonadi-davgroupware-resource running in Akonadi and every 10 minutes I have to click on "ok" about 8 times. Sorry, but that sucks. There are also other reports about similar issues: http://kde-look.org/content/show.php?content=101229#c409131 My groupware server (egroupware 1.9.10) definitely needs a login and afaik it is provided, but only at the second attempt of any connection. Can't use groupware, calendar, carddav anymore. Please get this sorted ASAP. BTW, I do not think that this patch works at all. I send a request: ----------------- PROPFIND /groupdav.php/family-group/addressbook/ HTTP/1.1 Host: groupware.envirology.co.nz Connection: Keep-Alive User-Agent: Mozilla/5.0 (compatible; Konqueror/4.6; Linux) KHTML/4.6.3 (like Gecko) Kubuntu Pragma: no-cache Cache-control: no-cache Accept: text/html, image/jpeg;q=0.9, image/png;q=0.9, text/*;q=0.9, image/*;q=0.9, */*;q=0.8 Accept-Encoding: x-gzip, x-deflate, gzip, deflate Accept-Charset: utf-8, utf-8;q=0.5, *;q=0.5 Accept-Language: en-US,en;q=0.9 Content-Type: text/xml Depth: 1 Content-Length: 243 The server answers with: ------------------------ HTTP/1.1 401 Unauthorized Date: Sun, 19 Jun 2011 11:01:01 GMT Server: Apache Cache-Control: no-cache, must-revalidate Pragma: no-cache WWW-Authenticate: Basic realm="EGroupware CalDAV/CardDAV/GroupDAV server-10466" X-WebDAV-Status: 401 Unauthorized Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 92 Keep-Alive: timeout=3, max=100 Connection: Keep-Alive Content-Type: text/html So far, Kio::HTTP is happy The client now knows it has to send the auth info to get to that data: ---------------------------------------------------------------------- PROPFIND /groupdav.php/family-group/addressbook/ HTTP/1.1 Host: groupware.envirology.co.nz Connection: Keep-Alive User-Agent: Mozilla/5.0 (compatible; Konqueror/4.6; Linux) KHTML/4.6.3 (like Gecko) Kubuntu Pragma: no-cache Cache-control: no-cache Accept: text/html, image/jpeg;q=0.9, image/png;q=0.9, text/*;q=0.9, image/*;q=0.9, */*;q=0.8 Accept-Encoding: x-gzip, x-deflate, gzip, deflate Accept-Charset: utf-8, utf-8;q=0.5, *;q=0.5 Accept-Language: en-US,en;q=0.9 Content-Type: text/xml Depth: 1 Authorization: Basic xxxxxxxxxxxxxxxxxxxxxxx Content-Length: 243 And the server answers with the data, quite correctly: ------------------------------------------------------ HTTP/1.1 207 Multi-Status Date: Sun, 19 Jun 2011 11:01:02 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache X-Dav-Powered-By: EGroupware 1.9.011 CalDAV/CardDAV/GroupDAV server X-WebDAV-Status: 207 Multi-Status DAV: 1, 2, access-control, calendar-access, addressbook Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 1355 Keep-Alive: timeout=3, max=100 Connection: Keep-Alive Content-Type: text/xml; charset="utf-8" AND HERE Kio::HTTP complains, because the user auth info is set, but of course the response is neither 401 nor 407, but 207 for a valid and successful MULTISTATUS (just example). I believe on reasonable grounds that the patch does NOT work and it will break all webdav and groupdav functionality. Git commit c21ab4d337240dee22dbdc5aad3be038cb01bf15 by Dawit Alemayehu. Committed on 19/06/2011 at 16:30. Pushed by adawit into branch 'KDE/4.6'. Do not show the spoofed warning box when a username is in the URL, but the request has already been preemtively authenticated. This should address the last use case that was not accounted for. CCBUG: 94867 M +10 -4 kioslave/http/http.cpp http://commits.kde.org/kdelibs/c21ab4d337240dee22dbdc5aad3be038cb01bf15 Git commit 80e1df8a7281dadaa3122888acd5c1f0bc74ad43 by Dawit Alemayehu. Committed on 19/06/2011 at 16:30. Pushed by adawit into branch 'master'. Do not show the spoofed warning box when a username is in the URL, but the request has already been preemtively authenticated. This should address the last use case that was not accounted for. CCBUG: 94867 (cherry picked from commit c21ab4d337240dee22dbdc5aad3be038cb01bf15) M +10 -4 kioslave/http/http.cpp http://commits.kde.org/kdelibs/80e1df8a7281dadaa3122888acd5c1f0bc74ad43 Git commit dc65a754549970101c0cceb65d3b3677fd7d3fc3 by Dawit Alemayehu. Committed on 18/06/2011 at 20:23. Pushed by adawit into branch 'master'. Do not wait until an ioslave is finished to update other ioslaves with the internal meta-data information it sent. Otherwise, the internal meta-data might not be available to newly created ioslaves. Note that this commit is only a partial improvement over commit e2d0995 and is required to make the address spoofing security warning in kio_http work properly for all kdewebkit based browsers. CCBUG: 94867 M +7 -0 kio/kio/job.cpp M +26 -14 kio/kio/scheduler.cpp M +7 -0 kio/kio/scheduler.h http://commits.kde.org/kdelibs/dc65a754549970101c0cceb65d3b3677fd7d3fc3 Git commit f5ff6a74142d3855b88c4bbccf504a04db21a67d by Dawit Alemayehu. Committed on 18/06/2011 at 20:23. Pushed by adawit into branch 'KDE/4.6'. Do not wait until an ioslave is finished to update other ioslaves with the internal meta-data information it sent. Otherwise, the internal meta-data might not be available to newly created ioslaves. Note that this improves commit e2d099586cd29cbae87ef3c4dddba6881153859b and is required to make the address spoofing security warning in kio_http work properly for all kdewebkit based browsers. CCBUG: 94867 (cherry picked from commit c76097820a11d6e7015c8395f704d79386edbde1) M +7 -0 kio/kio/job.cpp M +26 -14 kio/kio/scheduler.cpp M +7 -0 kio/kio/scheduler.h http://commits.kde.org/kdelibs/f5ff6a74142d3855b88c4bbccf504a04db21a67d |