From simpleguy@simpleguy.com Tue Oct 15 15:16:44 2002 From: Ajay R Ramjatan To: bugtraq@securityfocus.com Date: Fri, 11 Oct 2002 14:22:19 +0400 Subject: Security hole in kpf - KDE personal fileserver. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SECURITY ADVISORY Author: Ajay R Ramjatan Date: 11 October 2002 Software: kpf - KDE Personal File Server (part of kdenetwork) Vulnerable: kpf of any KDE release between KDE 3.0.1 and KDE 3.0.3a Fixed: kpf from kdenetwork 3.0.4 INTRODUCTION kpf allows a user to run a small http server and easily 'share' a directory on a certain port. Using specially crafted URLs, its possible to view content outside the specified root directory. DESCRIPTION A few days ago, I used the kpf applet to quickly 'share' a directory on my system for a friend. When testing with a browser, I noticed that jpeg files had an icon next to them. Curiosity compelled me to check the path of those icons. It turned out the icons were being read from my own machine and their URL was in the form http://127.0.0.1:8001/?icon=/usr/local/kde/share/icons/hicolor \ /32x32/mimetypes/image.png Using ?icon=/ in the URL shown above causes kpf to display the system's root directory, and going from there, its posible to read any file which is readable by the user running kpf. I immediately closed kpf and notified rikkus on #kde-devel@Openprojects who acknowledged the hole and immediately fixed it. SOLUTION The KDE advisory of the problem is here: http://www.kde.org/info/security/advisory-20021008-2.txt It includes locations of where to get updated packages and patches. THANKS TO Rikkus @ OpenProjects for fixing the hole quickly. Larry^Flynt @ DALnet. Without him asking me to 'share' some jpegs with him, I would have never discovered that hole. Ajay R Ramjatan http://www.simpleguy.com - -EOF -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux) iD8DBQE9pqZhajQ2fz6QGn8RAqqWAJ9hX09lucd8JJlZC2EaxAxbLpq+ZACgwT1L oJ8F2zrpRAcoO3hLPHH+xH8= =+g5X -----END PGP SIGNATURE-----