Possible security leakage in default konquerer?

Helge Kreutzmann kreutzm at itp.uni-hannover.de
Fri Mar 7 14:25:56 GMT 2003 

Hello,
I am not subscribed, so please CC me if there are points unclear in
this bug report.

Our local system administrators just installed KDE 3.1. Many users
here do not use the entire KDE environment, but just selected
programms. So I started konquerer and was greeted with the question,
if I would allow a cookie from ad.doubleclick.net which stunned me,
because I only saw my home directory. Screenshot:

http://www.itp.uni-hannover.de/~kreutzm/data/

I finally found the cause. Konquerer renders documents found in the
home directory and I had an HTML file in my home directory, which had
an inline graphic from ad.doubleclick.net. And tried to retrieve this
graphics, which in turn caused ad.doubleclick.net to set a cookie.
Fortunately konquerer asked before retrieving the cookie.

IMHO this should not be the default behavior. There could be *any*
kind of document in my home directory retrieved from various sources.
If they get parsed and "executed" then information is transmitted to a
host unknown. I think by default parsing should be disabled or at
least limited to local resolution. I am not sure what kind of
information excactly is transmitted (probably browser, my IP). 

Suppose I have a machine, where only local work should be done. Then a
user simply *viewing his homedirectory* would violate this request,
although unknowingly. 

I was told I can disable the preview, but to do this I have to start
konquerer at least once (so I am told, correct me if I am wrong); even
if I can add some text files directly, 99% of the users probably don't
do it (I did not know about this problem before starting konquerer
neither). 

My suggestions in order of preference:
*) Limit parsing of documents to the documents only. No postscript may
   call shell, no HTML references beyond the HTML document are loaded by
   default (e.g. inline graphics). Of course, the user may activate
   this feature, but then e.g. limit only to locally available
   resources. I know that the latter term is not without problems.
*) If the previous is not possible, then at least limit the references
   to local documents. So no connections over HTTP, FTP, ... or any other
   network protocoll can be initiated without explicit request, i.e.
   by either setting an option or by having an "Open with full content
   (may leak privacy information)"

*) As a short term solution I suggest disabling document preview and
   handing out an appropriate warning when enabling it by the user.


Probably those solutions arn't easy but they should be worth the cause
to create a secure environment.

Please note, that while I am constantly connected to the web, some
people might have an autodialer running. So whenever konquerer
displays certain directories, the autodialer would get the inline
graphics, even if not connected with cookies. Many users would simply
wonder why the computer is dialing or why their telephon bill is higher then
expected. So this bug also has some financial aspect.

Thank you for listening

           Helge Kreutzmann

P.S. Please excuse me if this is the wrong way to report the bug, but
     I was explicitly asked by our local KDE guru to report it this
     way.

-- 
Helge Kreutzmann, Dipl.-Phys.               Helge.Kreutzmann at itp.uni-hannover.de
  gpg signed mail preferred    gpg-key: finger kreutzm at rigel.itp.uni-hannover.de
    64bit GNU powered                  http://www.itp.uni-hannover.de/~kreutzm
       Help keep free software "libre": http://www.freepatents.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20030307/12c8c686/attachment.sig>

More information about the kfm-devel mailing list