-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nth Dimension Security Advisory (NDSA20100818)
Date: 18th August 2010
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: Rekonq 0.5 <http://rekonq.sourceforge.net/>
Vendor: Andrea Diamantini <http://www.adjam.org/>
Risk: Medium

Summary

The Rekonq web browser is vulnerable to Javascript injection in a number
of components of the user interface. Depending on the exact component 
affected this can lead to Javascript being executed in a number of contexts
which in the worst case could allow an arbitrary web site to be spoofed
or even for the Javascript to be executed in the context of an arbitrary
context.

Whilst initially, Nth Dimension had no intention to publish this advisory
the increasing prominence of the project lead to a reevaluation of this
decision.  After discussions with the vendor, Nth Dimension approached 
the oss-security[1] mailing list to request a CVE reference for this
vulnerability.  Josh Bressers of Redhat assigned CVE-2010-2536 to this 
vulnerability.

Technical Details

Rekonq 0.4 is affected by Javascript injection which allows universal
XSS.  Opening a fresh instance of Rekonq and entering the following URL
causes the Javascript to be executed in the context of the requested
domain:

http://thisdomainwillnotresolveandrekonqerrorpagewillbeshownwithfullurlembedded.twitter.com/"><script>alert(document.cookie)</script>

Since Rekonq fails to resolve the hostname it will then will display an
error message.  The error message output by Rekonq includes the full URL,
including the <script> tags.  Since Rekonq see that the requested URL is
part of *.twitter.com and since twitter.com sets wildcard domain'd cookies,
the error page will be able to access any cookies that have been set.
Note that this is not unique to twitter.com, cookies can be stolen for any
site that sets wildcard domain'd cookies.

Furthermore, in Rekonq 0.4 Javascript can also be injected into the 
favourites, bookmarks, closed tabs and history user interface components in
similar fashion since these two are constructed as HTML which is then
rendered by Rekonq.

Finally, whilst these issues are partially resolved in Rekonq 0.5,
pages can still be spoofed.  For example, by entering:

https://wwwmail.google.com/"><script>document.body.innerHTML='<h1>Welcome to Google.com</h1>Username: <input type="username" name="text">Password: <input type="password" name="password"><input type="submit" value="Submit">'</script>

into the URL bar and hit enter.  As with Rekonq 0.4, the full URL submitted
is used as part of the error page for the "Try again" button.  Whilst the
cookies for the domain can no longer be accessed it is still possible to
spoof legitimate looking URLs.

Solutions

Nth Dimension recommends that the vendor supplied patches should be applied.

History

On 5th December 2009, the vendor was notified and an issue[2] was opened on
KDE's bug tracker to track the vulnerability referencing the then current
release of Rekonq which was 0.4.

Further testing identified that Qt's demo browser was also affected along
with KDE's kwebkitpart.  Following this, Dawit Alemayehu of KDE patched[3]
the affected component within KDE.

The vulnerability was confirmed by the Rekonq developers on the 7th
December 2009 and an interim patch was applied.  Nth Dimension notified
the Rekonq developers that they were unable to confirm that the patch
was effective but that they had found additional components of Rekonq
that were also affected.

Nth Dimension resolved to test the patch as soon as a new release was
available for the effected platform on which the bug had first been identified.

Eventually, on the 14th July 2010, Nth Dimension were able to retest the
applied patch on Rekonq 0.5.  It was identified that whilst the vulnerability
had been partially resolved, that a new vector had been identified

On the 21st July 2010, Nth Dimension contacted oss-security to request a
CVE for this vulnerability. Josh Bressers immediately replied, assigning
CVE-2010-2536.

Following the assigment of a CVE for this issue, Eelko Berkenpies provided
a patch[4] to resolve the outstanding symptoms of the vulnerability which was
applied by Andrea Diamantini on the 2nd August 2010. 

Current

As of the 2nd August 2010, the state of the vulnerabilities is believed to
be as follows:

|                                                  | 0.4 |  0.5  |
| Javascript injection into error page             |     |       |
| Access to cookies from invalid domains           |     | Fixed |
| Javascript injection into bookmarks, history etc |     | Fixed |

A patch has been applied to the upstream git repository which it is believed
successfully mitigates the final symptoms of this vulnerability.

Thanks

Nth Dimension would like to thank Dawit Alemayehu of KDE, Andrea Diamantini
of Rekonq and Eelko Berkenpies for the way they worked to resolve the issue.

[1] http://www.openwall.com/lists/oss-security/2010/07/21/3
[2] https://bugs.kde.org/show_bug.cgi?id=217464
[3] http://websvn.kde.org/?view=rev&revision=1059140
[4] https://bugs.kde.org/attachment.cgi?id=49437
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCAAGBQJMa6hvAAoJEPJhpTVyySo78uoP/3tDA8IJa/yJR4rqyJ/5RATn
EqfbakIFKoiAhedurTTuuVCO2fBSMlmSCGg7KBrXIzZp6BLWrKQt8IBx1ZYbDAXH
9KGqjqgHejLMluEtKglCEXTzvJwluC1PB/fCRo8zGNeRKPL8+33aCxk+DKsGUwHe
rPMhGt9aOjkw9Fi6Yh17n6ERbOr4RHOalFOjdW/KC8wDT19DumgEH17vcK/H4YNq
87Z3iO6Sthy/hMvUiY5dhfR9gOqV8PQi1ecqQr1Uh9BV+5HO0QNaPrtrCMOa192r
3HLR5XZjPRM1ailCWMBy4szis7nKcDQ4F4ns9qPUY2Mlb/GB8Gzrzh9Kdg4YctSF
wjZp8qO2H3ZUqUAA1gtf39cZV0NHrlIp3M9P417eX1j0h1Ph5FYuJaEqn1Ml5GZy
R/AjieKFOwGOd1OabgJnxYQUWnkpfJf/OGXyjr9QxvmNgCJXxfyjrIIFhz4azWPr
OZFA3UPUgIOOAdeeBE/Gn0vXGQF421+o0bT9tN36WKr8W4wAozW7vToibjrvi1Oz
/jrYyYljrY/QhgSToNStydYe+M+9HaQzIEdvEsOPq5YVnypePvVbd1fuWJlqVzX4
Tx+DpH0l8x1pkywftZNpgp3kkxSYiFN3iD1fVvVc7B8J48ovPDBHwwcCyHAjY+TW
HEdkFOyBrpOBttSZyAjm
=qoWc
-----END PGP SIGNATURE-----