Rekonq 0.5 Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256  
  
Nth Dimension Security Advisory (NDSA20100818)  
Date: 18th August 2010  
Author: Tim Brown <mailto:[email protected]>  
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>  
Product: Rekonq 0.5 <http://rekonq.sourceforge.net/>  
Vendor: Andrea Diamantini <http://www.adjam.org/>  
Risk: Medium  
  
Summary  
  
The Rekonq web browser is vulnerable to Javascript injection in a number  
of components of the user interface. Depending on the exact component   
affected this can lead to Javascript being executed in a number of contexts  
which in the worst case could allow an arbitrary web site to be spoofed  
or even for the Javascript to be executed in the context of an arbitrary  
context.  
  
Whilst initially, Nth Dimension had no intention to publish this advisory  
the increasing prominence of the project lead to a reevaluation of this  
decision. After discussions with the vendor, Nth Dimension approached   
the oss-security[1] mailing list to request a CVE reference for this  
vulnerability. Josh Bressers of Redhat assigned CVE-2010-2536 to this   
vulnerability.  
  
Technical Details  
  
Rekonq 0.4 is affected by Javascript injection which allows universal  
XSS. Opening a fresh instance of Rekonq and entering the following URL  
causes the Javascript to be executed in the context of the requested  
domain:  
  
http://thisdomainwillnotresolveandrekonqerrorpagewillbeshownwithfullurlembedded.twitter.com/"><script>alert(document.cookie)</script>  
  
Since Rekonq fails to resolve the hostname it will then will display an  
error message. The error message output by Rekonq includes the full URL,  
including the <script> tags. Since Rekonq see that the requested URL is  
part of *.twitter.com and since twitter.com sets wildcard domain'd cookies,  
the error page will be able to access any cookies that have been set.  
Note that this is not unique to twitter.com, cookies can be stolen for any  
site that sets wildcard domain'd cookies.  
  
Furthermore, in Rekonq 0.4 Javascript can also be injected into the   
favourites, bookmarks, closed tabs and history user interface components in  
similar fashion since these two are constructed as HTML which is then  
rendered by Rekonq.  
  
Finally, whilst these issues are partially resolved in Rekonq 0.5,  
pages can still be spoofed. For example, by entering:  
  
https://wwwmail.google.com/"><script>document.body.innerHTML='<h1>Welcome to Google.com</h1>Username: <input type="username" name="text">Password: <input type="password" name="password"><input type="submit" value="Submit">'</script>  
  
into the URL bar and hit enter. As with Rekonq 0.4, the full URL submitted  
is used as part of the error page for the "Try again" button. Whilst the  
cookies for the domain can no longer be accessed it is still possible to  
spoof legitimate looking URLs.  
  
Solutions  
  
Nth Dimension recommends that the vendor supplied patches should be applied.  
  
History  
  
On 5th December 2009, the vendor was notified and an issue[2] was opened on  
KDE's bug tracker to track the vulnerability referencing the then current  
release of Rekonq which was 0.4.  
  
Further testing identified that Qt's demo browser was also affected along  
with KDE's kwebkitpart. Following this, Dawit Alemayehu of KDE patched[3]  
the affected component within KDE.  
  
The vulnerability was confirmed by the Rekonq developers on the 7th  
December 2009 and an interim patch was applied. Nth Dimension notified  
the Rekonq developers that they were unable to confirm that the patch  
was effective but that they had found additional components of Rekonq  
that were also affected.  
  
Nth Dimension resolved to test the patch as soon as a new release was  
available for the effected platform on which the bug had first been identified.  
  
Eventually, on the 14th July 2010, Nth Dimension were able to retest the  
applied patch on Rekonq 0.5. It was identified that whilst the vulnerability  
had been partially resolved, that a new vector had been identified  
  
On the 21st July 2010, Nth Dimension contacted oss-security to request a  
CVE for this vulnerability. Josh Bressers immediately replied, assigning  
CVE-2010-2536.  
  
Following the assigment of a CVE for this issue, Eelko Berkenpies provided  
a patch[4] to resolve the outstanding symptoms of the vulnerability which was  
applied by Andrea Diamantini on the 2nd August 2010.   
  
Current  
  
As of the 2nd August 2010, the state of the vulnerabilities is believed to  
be as follows:  
  
| | 0.4 | 0.5 |  
| Javascript injection into error page | | |  
| Access to cookies from invalid domains | | Fixed |  
| Javascript injection into bookmarks, history etc | | Fixed |  
  
A patch has been applied to the upstream git repository which it is believed  
successfully mitigates the final symptoms of this vulnerability.  
  
Thanks  
  
Nth Dimension would like to thank Dawit Alemayehu of KDE, Andrea Diamantini  
of Rekonq and Eelko Berkenpies for the way they worked to resolve the issue.  
  
[1] http://www.openwall.com/lists/oss-security/2010/07/21/3  
[2] https://bugs.kde.org/show_bug.cgi?id=217464  
[3] http://websvn.kde.org/?view=rev&revision=1059140  
[4] https://bugs.kde.org/attachment.cgi?id=49437  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.10 (GNU/Linux)  
  
iQIcBAEBCAAGBQJMa6hvAAoJEPJhpTVyySo78uoP/3tDA8IJa/yJR4rqyJ/5RATn  
EqfbakIFKoiAhedurTTuuVCO2fBSMlmSCGg7KBrXIzZp6BLWrKQt8IBx1ZYbDAXH  
9KGqjqgHejLMluEtKglCEXTzvJwluC1PB/fCRo8zGNeRKPL8+33aCxk+DKsGUwHe  
rPMhGt9aOjkw9Fi6Yh17n6ERbOr4RHOalFOjdW/KC8wDT19DumgEH17vcK/H4YNq  
87Z3iO6Sthy/hMvUiY5dhfR9gOqV8PQi1ecqQr1Uh9BV+5HO0QNaPrtrCMOa192r  
3HLR5XZjPRM1ailCWMBy4szis7nKcDQ4F4ns9qPUY2Mlb/GB8Gzrzh9Kdg4YctSF  
wjZp8qO2H3ZUqUAA1gtf39cZV0NHrlIp3M9P417eX1j0h1Ph5FYuJaEqn1Ml5GZy  
R/AjieKFOwGOd1OabgJnxYQUWnkpfJf/OGXyjr9QxvmNgCJXxfyjrIIFhz4azWPr  
OZFA3UPUgIOOAdeeBE/Gn0vXGQF421+o0bT9tN36WKr8W4wAozW7vToibjrvi1Oz  
/jrYyYljrY/QhgSToNStydYe+M+9HaQzIEdvEsOPq5YVnypePvVbd1fuWJlqVzX4  
Tx+DpH0l8x1pkywftZNpgp3kkxSYiFN3iD1fVvVc7B8J48ovPDBHwwcCyHAjY+TW  
HEdkFOyBrpOBttSZyAjm  
=qoWc  
-----END PGP SIGNATURE-----  
`