Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[Full-Disclosure] KDE Security Advisory: plain text password exposure
From: Dirk Mueller (muellerkde.org)
Date: Thu Dec 09 2004 - 08:07:19 CST
-----BEGIN PGP SIGNED MESSAGE-----
KDE Security Advisory: plain text password exposure
Original Release Date: 2004-12-09
1. Systems affected:
All KDE 3.2.x releases, KDE 3.3.0, KDE 3.3.1 and KDE 3.3.2.
Daniel Fabian notified the KDE security team about a possible
privacy issue in KDE. When creating a link to a remote file
from various applications including Konqueror, the resulting
URL may contain the authentication credentials used to access
that remote resource. This includes, but is not limited to
browsing SMB ("Samba") shares. Further investigation revealed
unnecessary exposure of authentication credentials by the
SMB ("Samba") protocol handler.
The link reference file, which is a file with the extension
".desktop", is a plain text configuration file that is created
with default access permissions, depending on the users' umask
this could include world read permission. Usually the URL saved
in this .desktop file only contains the password if the user
manually entered it this way. The SMB protocol handler however
unnecessarily exposes authentication credentials by always
including this information in the URL that it generates.
The KDE team provides patches which will unconditionally
remove the password from the authentication credentials
before creating the link reference file and that fix the SMB
protocol handler to not unnecessarily include passwords
in URLs Authentication credentials can then be stored in
A user may inadvertly expose passwords provided for SMB shares
or other passwords that were entered as part of an URL.
Users should verify that links to remote files do not contain
password information by right-clicking the link and selecting
the "Properties" option and then selecting the "URL" tab.
The KDE 3.3.2 release contains most fixes already, therefore
the patch set to apply to KDE 3.3.2 is less than for other
Source code patches have been made available which fix these
vulnerabilities. Contact your OS vendor / binary package provider
for information about how to obtain updated binary packages.
Patches for KDE 3.3.1 are available from
Patch for KDE 3.3.2 is available from
Patches for KDE 3.2.3 are available from
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.