Vulnerability Bulletins |
Inyección de cookies en múltiples navegadores |
|
Vulnerability classification |
|
| Property | Value |
| Confidence level | Oficial |
| Impact | Obtener acceso |
| Dificulty | Experto |
| Required attacker level | Acceso remoto sin cuenta a un servicio estandar |
System information |
|
| Property | Value |
| Affected manufacturer | Comercial Software |
| Affected software |
Internet Explorer Mozilla Konqueror KDE <=3.2.3 |
Description |
|
|
Se ha descubierto una vulnerabilidad de inyección de cookies que afecta a múltiples navegadores. Se trata de una vulnerabilidad de inyección de cookies "cross-domain" que reside en el manejo del campo "domain" y que afecta al tratamiento de dominios de país divididos en dos partes, por ejemplo, .co.uk. Esta vulnerabilidad permitiría a un dominio "ejemplo.co.uk" especificar una cookie con el campo domain=.co.uk y esta sería enviada por el navegador a todos los hosts dentro del dominio .co.uk. La explotación de esta vulnerabilidad podría permitir a un atacante remoto lanzar un ataque de fijación de ID de sesión contra aplicaciones Web mediante un servidor Web especialmente diseñado. |
|
Solution |
|
|
Actualización de software Internet Explorer No existe solución por el momento http://www.microsoft.com/ Mozilla No existe solución por el momento http://www.mozilla.org/ Konqueror KDE 3.0.5b - Parches ftp://ftp.kde.org/pub/kde/security_patches/post-3.0.5b-kdelibs-kcookiejar.patch KDE 3.1.5 - Parches ftp://ftp.kde.org/pub/kde/security_patches/post-3.1.5-kdelibs-kcookiejar.patch KDE 3.2.3 - Parches ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdelibs-kcookiejar.patch KDE 3.3 http://www.kde.org/info/3.3.php Red Hat Linux Red Hat Desktop (v. 3) AMD64 kdebase-3.1.3-5.4.x86_64.rpm kdebase-devel-3.1.3-5.4.x86_64.rpm kdelibs-3.1.3-6.6.x86_64.rpm kdelibs-devel-3.1.3-6.6.x86_64.rpm SRPMS kdebase-3.1.3-5.4.src.rpm kdelibs-3.1.3-6.6.src.rpm i386 kdebase-3.1.3-5.4.i386.rpm kdebase-devel-3.1.3-5.4.i386.rpm kdelibs-3.1.3-6.6.i386.rpm kdelibs-devel-3.1.3-6.6.i386.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux AS (v. 2.1) SRPMS kdelibs-2.2.2-13.src.rpm i386 arts-2.2.2-13.i386.rpm kdelibs-2.2.2-13.i386.rpm kdelibs-devel-2.2.2-13.i386.rpm kdelibs-sound-2.2.2-13.i386.rpm kdelibs-sound-devel-2.2.2-13.i386.rpm ia64 arts-2.2.2-13.ia64.rpm kdelibs-2.2.2-13.ia64.rpm kdelibs-devel-2.2.2-13.ia64.rpm kdelibs-sound-2.2.2-13.ia64.rpm kdelibs-sound-devel-2.2.2-13.ia64.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux AS (v. 3) AMD64 kdebase-3.1.3-5.4.x86_64.rpm kdebase-devel-3.1.3-5.4.x86_64.rpm kdelibs-3.1.3-6.6.x86_64.rpm kdelibs-devel-3.1.3-6.6.x86_64.rpm SRPMS kdebase-3.1.3-5.4.src.rpm kdelibs-3.1.3-6.6.src.rpm i386 kdebase-3.1.3-5.4.i386.rpm kdebase-devel-3.1.3-5.4.i386.rpm kdelibs-3.1.3-6.6.i386.rpm kdelibs-devel-3.1.3-6.6.i386.rpm ia64 kdebase-3.1.3-5.4.ia64.rpm kdebase-devel-3.1.3-5.4.ia64.rpm kdelibs-3.1.3-6.6.ia64.rpm kdelibs-devel-3.1.3-6.6.ia64.rpm ppc kdebase-3.1.3-5.4.ppc.rpm kdebase-devel-3.1.3-5.4.ppc.rpm kdelibs-3.1.3-6.6.ppc.rpm kdelibs-devel-3.1.3-6.6.ppc.rpm s390 kdebase-3.1.3-5.4.s390.rpm kdebase-devel-3.1.3-5.4.s390.rpm kdelibs-3.1.3-6.6.s390.rpm kdelibs-devel-3.1.3-6.6.s390.rpm s390x kdebase-3.1.3-5.4.s390x.rpm kdebase-devel-3.1.3-5.4.s390x.rpm kdelibs-3.1.3-6.6.s390x.rpm kdelibs-devel-3.1.3-6.6.s390x.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux ES (v. 2.1) SRPMS kdebase-2.2.2-12.src.rpm kdelibs-2.2.2-13.src.rpm i386 arts-2.2.2-13.i386.rpm kdebase-2.2.2-12.i386.rpm kdebase-devel-2.2.2-12.i386.rpm kdelibs-2.2.2-13.i386.rpm kdelibs-devel-2.2.2-13.i386.rpm kdelibs-sound-2.2.2-13.i386.rpm kdelibs-sound-devel-2.2.2-13.i386.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux ES (v. 3) AMD64 kdebase-3.1.3-5.4.x86_64.rpm kdebase-devel-3.1.3-5.4.x86_64.rpm kdelibs-3.1.3-6.6.x86_64.rpm kdelibs-devel-3.1.3-6.6.x86_64.rpm SRPMS kdebase-3.1.3-5.4.src.rpm kdelibs-3.1.3-6.6.src.rpm i386 kdebase-3.1.3-5.4.i386.rpm kdebase-devel-3.1.3-5.4.i386.rpm kdelibs-3.1.3-6.6.i386.rpm kdelibs-devel-3.1.3-6.6.i386.rpm ia64 kdebase-3.1.3-5.4.ia64.rpm kdebase-devel-3.1.3-5.4.ia64.rpm kdelibs-3.1.3-6.6.ia64.rpm kdelibs-devel-3.1.3-6.6.ia64.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux WS (v. 2.1) SRPMS kdebase-2.2.2-12.src.rpm kdelibs-2.2.2-13.src.rpm i386 arts-2.2.2-13.i386.rpm kdebase-2.2.2-12.i386.rpm kdebase-devel-2.2.2-12.i386.rpm kdelibs-2.2.2-13.i386.rpm kdelibs-devel-2.2.2-13.i386.rpm kdelibs-sound-2.2.2-13.i386.rpm kdelibs-sound-devel-2.2.2-13.i386.rpm https://rhn.redhat.com/ Red Hat Enterprise Linux WS (v. 3) AMD64 kdebase-3.1.3-5.4.x86_64.rpm kdebase-devel-3.1.3-5.4.x86_64.rpm kdelibs-3.1.3-6.6.x86_64.rpm kdelibs-devel-3.1.3-6.6.x86_64.rpm SRPMS kdebase-3.1.3-5.4.src.rpm kdelibs-3.1.3-6.6.src.rpm i386 kdebase-3.1.3-5.4.i386.rpm kdebase-devel-3.1.3-5.4.i386.rpm kdelibs-3.1.3-6.6.i386.rpm kdelibs-devel-3.1.3-6.6.i386.rpm ia64 kdebase-3.1.3-5.4.ia64.rpm kdebase-devel-3.1.3-5.4.ia64.rpm kdelibs-3.1.3-6.6.ia64.rpm kdelibs-devel-3.1.3-6.6.ia64.rpm Red Hat Linux Advanced Workstation 2.1 Itanium Processor SRPMS kdebase-2.2.2-12.src.rpm kdelibs-2.2.2-13.src.rpm ia64 arts-2.2.2-13.ia64.rpm kdebase-2.2.2-12.ia64.rpm kdebase-devel-2.2.2-12.ia64.rpm kdelibs-2.2.2-13.ia64.rpm kdelibs-devel-2.2.2-13.ia64.rpm kdelibs-sound-2.2.2-13.ia64.rpm kdelibs-sound-devel-2.2.2-13.ia64.rpm https://rhn.redhat.com/ |
|
Standar resources |
|
| Property | Value |
| CVE |
CAN-2004-0746 CAN-2004-0866 CAN-2004-0867 |
| BID | |
Other resources |
|
|
Westpoint Security Advisory wp-04-0001 http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt KDE Security Advisory http://www.kde.org/info/security/advisory-20040823-1.txt Mozilla Bugzilla Bug 252342 http://bugzilla.mozilla.org/show_bug.cgi?id=252342 Red Hat Security Advisory RHSA-2004:412-10 https://rhn.redhat.com/errata/RHSA-2004-412.html |
|
Version history |
||
| Version | Comments | Date |
| 1.0 | Aviso emitido | 2004-09-22 |
| 1.1 | Aviso emitido por Red Hat (RHSA-2004:412-10) | 2004-10-05 |