| Summary: | KDE Security Advisory: URI Handler Vulnerabilities | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Eldad Zack (RETIRED) <eldad> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | critical | CC: | kde |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | All | ||
| URL: | http://www.kde.org/info/security/advisory-20040517-1.txt | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
1. Systems affected: All versions of KDE up to KDE 3.2.2 inclusive. 2. Overview: iDEFENSE identified a vulnerability in the Opera Web Browser that could allow remote attackers to create or truncate arbitrary files. The KDE team has found that similar vulnerabilities exists in KDE. The telnet, rlogin, ssh and mailto URI handlers in KDE do not check for '-' at the beginning of the hostname passed, which makes it possible to pass an option to the programs started by the handlers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0411 to this issue.