Debian Security Advisory

DSA-167-1 kdelibs -- cross site scripting

Date Reported:
16 Sep 2002
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2002-1151.
More information:

A cross site scripting problem has been discovered in Konqueror, a famous browser for KDE and other programs using KHTML. The KDE team reports that Konqueror's cross site scripting protection fails to initialize the domains on sub-(i)frames correctly. As a result, JavaScript is able to access any foreign subframe which is defined in the HTML source. Users of Konqueror and other KDE software that uses the KHTML rendering engine may become victim of a cookie stealing and other cross site scripting attacks.

This problem has been fixed in version 2.2.2-13.woody.3 for the current stable distribution (woody) and in version 2.2.2-14 for the unstable distribution (sid). The old stable distribution (potato) is not affected since it didn't ship KDE.

We recommend that you upgrade your kdelibs package and restart Konqueror.

Fixed in:

Debian GNU/Linux 3.0 (woody)

Architecture-independent component:
Intel IA-32:
Intel IA-64:
HP Precision:
Motorola 680x0:
Big endian MIPS:
Little endian MIPS:
IBM S/390:
Sun Sparc:

MD5 checksums of the listed files are available in the original advisory.