===================================================================== CERT-Renater Note d'Information No. 2007/VULN140 _____________________________________________________________________ DATE : 22/03/2007 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running KDE. ====================================================================== KDE Security Advisory: khtml/konqueror title XSS vulnerability Original Release Date: 2007-02-06 URL: http://www.kde.org/info/security/advisory-20070206-1.txt 0. References CVE-2007-0537 1. Systems affected: KDE including KDE 3.5.6. 2. Overview: Jose Avila noticed that there is a possibility to inject javascript references in tags on websites that allow user supplied data to be embeded inside the page title and do not properly escape the text. 3. Impact: On affected websites it is possible to conduct XSS attacks and steal authorisation data. 4. Solution: Source code patches have been made available which fix these vulnerabilities. Contact your OS vendor / binary package provider for information about how to obtain updated binary packages. 5. Patch: Patch for KDE 3.5.6 and newer ftp://ftp.kde.org/pub/kde/security_patches : edc2cba17795356e98eba6f3841c6277 post-3.5.6-kdelibs.diff ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================