Bug#294204: konqueror: IDN URL Spoofing

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#294204: konqueror: IDN URL Spoofing
From: "Colin S. Miller" <csmiller@iname.com>
Date: Tue, 08 Feb 2005 13:24:15 +0000
Message-id: <[🔎] 20050208132416.C1A6584060@angel.picsel.com>
Reply-to: "Colin S. Miller" <csmiller@iname.com>, 294204@bugs.debian.org

Package: konqueror
Version: 4:3.3.2-1
Severity: normal

http://www.shmoo.com/idn/ shows a proof-of-concept attack
against konqueror amongst other browsers (konqueror isn't
explicatly listed as vulnable).

The basic attack is using homographs in URLs
(two characters from different Unicode pages which
look different but are for different roles).

The upstream authors are marking this as 'wish-list',
but other browsers are handling this as serious.

They are also indicating that this may be
reassigned to kde-core, please reassign here if
required.

Colin S. Miller


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.7-1-386
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages konqueror depends on:
ii  kcontrol                 4:3.3.2-1       KDE Control Center
ii  kdebase-kio-plugins      4:3.3.2-1       KDE I/O Slaves
ii  kdelibs4                 4:3.3.2-1       KDE core libraries
ii  kdesktop                 4:3.3.2-1       KDE Desktop
ii  kfind                    4:3.3.2-1       KDE File Find Utility
ii  libart-2.0-2             2.3.16-6        Library of functions for 2D graphi
ii  libc6                    2.3.2.ds1-20    GNU C Library: Shared libraries an
ii  libfam0c102              2.7.0-6         client library to control the FAM 
ii  libgcc1                  1:3.4.3-6       GCC support library
ii  libice6                  4.3.0.dfsg.1-10 Inter-Client Exchange library
ii  libidn11                 0.5.2-3         GNU libidn library, implementation
ii  libjpeg62                6b-9            The Independent JPEG Group's JPEG 
ii  libkonq4                 4:3.3.2-1       Core libraries for KDE's file mana
ii  libpcre3                 4.5-1.1         Perl 5 Compatible Regular Expressi
ii  libpng12-0               1.2.8rel-1      PNG library - runtime
ii  libqt3c102-mt            3:3.3.3-8       Qt GUI Library (Threaded runtime v
ii  libsm6                   4.3.0.dfsg.1-10 X Window System Session Management
ii  libstdc++5               1:3.3.5-5       The GNU Standard C++ Library v3
ii  libx11-6                 4.3.0.dfsg.1-10 X Window System protocol client li
ii  libxext6                 4.3.0.dfsg.1-10 X Window System miscellaneous exte
ii  libxrender1              0.8.3-7         X Rendering Extension client libra
ii  xlibs                    4.3.0.dfsg.1-10 X Keyboard Extension (XKB) configu
ii  zlib1g                   1:1.2.2-3       compression library - runtime

-- no debconf information

Reply to:

Follow-Ups:
- Bug#294204: konqueror: IDN URL Spoofing
  - From: Adeodato Simó <asp16@alu.ua.es>
- Bug#294204: marked as done (konqueror: IDN URL Spoofing)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#294169: kmail should handle disconnection gracefully
Next by Date: Processed: Re: Bug#294204: konqueror: IDN URL Spoofing
Previous by thread: Bug#294169: kmail should handle disconnection gracefully
Next by thread: Bug#294204: konqueror: IDN URL Spoofing
Index(es):
- Date
- Thread