SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Web Browser)  >  KDE Konqueror Vendors:  KDE.org
KDE Konqueror Web Browser SSL Security Flaw Lets Remote Users Conduct Man-in-the-Middle Attacks to Access Sensitive Information
Date:  Dec 27 2001
Impact:  Disclosure of user information
Exploit Included:  Yes  
Version(s): Konqueror 2.2.1, 2.1, possibly other versions
Description:  A vulnerability has been reported in the KDE Konqueror web browser that allows a remote user to perform a Secure Sockets Layer (SSL) man-in-the-middle attack without being detected by most users.

It is reported that the flaw is due to the way in which Konqueror checks HTTPS objects that are embedded into normal HTTP pages. In this case, Konqueror reportedly checks to ensure that the certificate of the SSL web server is properly signed by a trusted certificate authority (CA) but does not verify if the certificate has expired or if the certificate was issued for the correct host name. This is apparently accepted behavior, because HTTPS objects within HTTP pages are treated as non-secure. However, Konqueror reportedly considers the certificate to be trusted and caches the trust relationship until the browser session ends. As a result, once this situation has occured, a man-in-the-middle attack is then possible. If the user visits a site with an expired certificate or invalid host name binding, Konqueror will not warn of this as long as the certificate was signed by a trusted CA.

A proof of concept web page is reportedly available at http://suspekt.org/. Clicking onto the "To the secure page..." link will send your browser to https://suspekt.org/ without Konqueror warning you that the certificate was not issued onto that server.
Impact:  A remote user can, in certain situations, conduct a man-in-the-middle attack. The remote user may be able to use an invalid but properly signed certificate to impersonate a valid and trusted secure web site.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.konqueror.org/konq-browser.html (Links to External Site)
Cause:  State error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  Tested on Mandrake Linux 8.1 + OpenSSL 0.9.6b
Reported By:  Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Message History:   None.

 Source Message Contents
Date:  Tue, 25 Dec 2001 16:14:39 +0100
From:  Przemyslaw Frasunek <venglin@freebsd.lublin.pl>
Subject:  Re: IE https certificate attack

 

On Saturday 22 December 2001 15:37, security@e-matters.de wrote:
>    A proof of concept webpage was put up at http://suspekt.org. Clicking
>    onto the "To the secure page..." link will send your browser to
>    https://suspekt.org without IE warning you that the certificate was not
>    issued onto that server.

Looks like Konqueror 2.2.1 (Mandrake Linux 8.1 + OpenSSL 0.9.6b) is also 
vulnerable. I've got no warning when entering on this page. I've tested it 
also with lynx 2.8.4rel.1 (compiled with OpenSSL 0.9.6a on FreeBSD) with the 
same result. 

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC