Another security hole
Karai Csaba
1. enter the URL: ftp://user:pass...@server.com
2. save the URL to the bookmarks
The password is stored in the bookmarks.xml in cleartext!!!!
I've followed the bug.
The password comes with vfs_getOrigin() and after that
KURL::prettyURL() shows the password.
I have 2 solutions:
- remove the password in vfs_getOrigin() (can be slow)
- store the vfs_origin URL in 2 instances
one for loading (which contains the password)
one for querying with vfs_getOrigin()
this is the faster way with minimum overhead
The first is easy to do, the second is fast.
Bye,
Csaba
Frank Schoolmeesters
thanks and bye,
Frank
Karai Csaba
Csaba
Frank Schoolmeesters írta:
Frank Schoolmeesters
The easy "slow" solution is good for me i think (though i'm not a developer) ,
I think it's better that it is "slow" and secure than not secure at all.
If there are complaints about speed maybe we could check/try the
second solution.
But if you can implement the fast solution it's also ok for me.
Any opinions?
Frank
Karai Csaba
> And can it be closed? ;)
Done.
>
> The easy "slow" solution is good for me i think (though i'm not a developer) ,
> I think it's better that it is "slow" and secure than not secure at all.
> If there are complaints about speed maybe we could check/try the
> second solution.
> But if you can implement the fast solution it's also ok for me.
>
> Any opinions?
>
I didn't touch VFS. The bookmark handler uses KURL::prettyURL() instead
of KURL::url() which doesn't save the passwords.
That's it.
Csaba
Frank Schoolmeesters
>
> Frank Schoolmeesters írta:
> > And can it be closed? ;)
>
> Done.
Thanks!
> > The easy "slow" solution is good for me i think (though i'm not a developer) ,
> > I think it's better that it is "slow" and secure than not secure at all.
> > If there are complaints about speed maybe we could check/try the
> > second solution.
> > But if you can implement the fast solution it's also ok for me.
> >
> > Any opinions?
> >
>
> I didn't touch VFS. The bookmark handler uses KURL::prettyURL() instead
> of KURL::url() which doesn't save the passwords.
>
> That's it.
>
> Csaba
Not saving the password is the safest solution and if the user want to
save it i guess that the user still can use kwallet.
I can't compile Krusader for the moment (i'm waiting for some updates
that are not entered yet Debian testing).
Should we provide a security patch for 1.70.0 ?
Frank
Rafi Yanai
Frank Schoolmeesters
Maybe Dirk can add also some i18n updates in 1.70.1 ?
( I know that the new Turkish translation just missed 1.70.0 )
Frank
Dirk Eschler
> Sounds ok.
>
> Maybe Dirk can add also some i18n updates in 1.70.1 ?
> ( I know that the new Turkish translation just missed 1.70.0 )
Hmm that might work for the new translation, but "backporting" existing ones
would result in more broken strings than updated.
What were the plans for the next release? Is it too late for a quick 1.71.0
release? I can't tell how crititical the new features are, only that i don't
have problems with them at all. ;)
Dirk
--
Dirk Eschler <mailto:dirk.e...@gmx.net>
http://www.krusader.org
Frank Schoolmeesters
>
> Am Donnerstag, 13. Juli 2006 13:09 schrieb Frank Schoolmeesters:
> > Sounds ok.
> >
> > Maybe Dirk can add also some i18n updates in 1.70.1 ?
> > ( I know that the new Turkish translation just missed 1.70.0 )
>
> Hmm that might work for the new translation, but "backporting" existing ones
> would result in more broken strings than updated.
>
of 1.70.0
I guess there exist no tool yet to "backport" i18n. ;)
> What were the plans for the next release? Is it too late for a quick 1.71.0
> release? I can't tell how crititical the new features are, only that i don't
> have problems with them at all. ;)
>
> Dirk
>
Current cvs is quite stable, but is not tested a lot i guess.
Though i have no problems with the new features eighter ;)
Frank
Richard/g
I still get crashes using the view, F3 stuff, but I think it
comes from kde widgets. An interruption of a view, out of the
ordinary, tends to crash krusader. Not all the time, but it happens.
Other than that, it's very stable. Currently using
k!-1.70.20060712.0200. Cvs is much more reliable for downloading.
How goes the progress towards subversion?
Richard.
Shie Erlich
i think subversion was said to replace cvs for the krusader 2.0 process.
--
Shie Erlich
http://www.krusader.org/
Frank Schoolmeesters
1) Release a patch for 1.70.0
2) Release 1.70.1 that contains the patch with maybe some small additions
(e.g. the new Turkish translation)
3) Release krusader-cvs as 1.71.0 at e.g. 1 August (if we consider it
stable enough)
This gives us the time todo:
- feature freeze for translations
- final finetunings by the developers (if needed)
Advantage: contains several fixes, plus some new features
Disadvantage: might contain some new bugs (but this is always the
case with a new release ;)
My vote is number 3 ;)
Frank
Dirk Eschler
IMHO that's too long for releasing a fixed version. Csaba, can you make a
patch against 1.70.0?
However, i can't do a proper release now. I haven't been able to ssh into sf
for ~3 days, hope they get around this issue any time soon.
Frank Schoolmeesters
>
> Am Freitag, 14. Juli 2006 11:53 schrieb Frank Schoolmeesters:
> > I suggest we vote.
> >
> > 1) Release a patch for 1.70.0
> >
> > 2) Release 1.70.1 that contains the patch with maybe some small additions
> > (e.g. the new Turkish translation)
> >
> > 3) Release krusader-cvs as 1.71.0 at e.g. 1 August (if we consider it
> > stable enough)
> > This gives us the time todo:
> > - feature freeze for translations
> > - final finetunings by the developers (if needed)
> > Advantage: contains several fixes, plus some new features
> > Disadvantage: might contain some new bugs (but this is always the
> > case with a new release ;)
> >
> > My vote is number 3 ;)
> >
> > Frank
>
> IMHO that's too long for releasing a fixed version. Csaba, can you make a
> patch against 1.70.0?
>
The security hole is already known since 2 May, the patch in cvs is 2 days old.
Anyway, we can always release the patch for 1.70.0. asap.
Frank
Karai Csaba
> patch against 1.70.0?
On Monday I'll make it. Now I have no fast internet connection.
Shall I add the 1.70 crash fixes or not?
Csaba
Dirk Eschler
> > IMHO that's too long for releasing a fixed version. Csaba, can you make a
> > patch against 1.70.0?
>
> On Monday I'll make it. Now I have no fast internet connection.
> Shall I add the 1.70 crash fixes or not?
Well, that would be perfect. :) But, speaking for myself, only do if it ain't
too much work.
Rafi Yanai
Dirk Eschler
> I agree with Frank, if CVS is stable why not release it as a new version ?
Actually i am for realising a new version. But waiting another 2 or 3 weeks
with the release of a security fix is just too long in my opinion, that
should happen ASAP.
Jonas Bähr
Hi,
There are some quite heavy changes in the useractions (see CVSNEWS) and since
quite a long time now (sorry, I wasn't very productive during the last
weeks :-/) I've got a partly working ActionMan in my developer version which
I'd like to have in the next release (it moves the useraction-definition out
of Konfigurator and does also some cleanup in the dir-structure of the
UA-userinterface). However, in two weeks my exam-period starts so I don't
think that I can finish this work until mid August...
And given the fact that this 1.80.0 might be the last release before we start
the KDE-4 work I don't feel very comfortable releasing it with only the first
half of the useraction-overhaul...
For this reason I prefer a patched 1.70.1
bye,
Jonas
>
> On 7/14/06, Dirk Eschler <dirk.e...@gmx.net> wrote:
> > Am Freitag, 14. Juli 2006 19:39 schrieb Karai Csaba:
> > > > IMHO that's too long for releasing a fixed version. Csaba, can you
> >
> > make a
> >
> > > > patch against 1.70.0?
> > >
> > > On Monday I'll make it. Now I have no fast internet connection.
> > > Shall I add the 1.70 crash fixes or not?
> >
> > Well, that would be perfect. :) But, speaking for myself, only do if it
> > ain't
> > too much work.
> >
> > Dirk
> >
> > --
> > Dirk Eschler <mailto:dirk.e...@gmx.net>
> > http://www.krusader.org
>
>
--
Try Krusader...
http://krusader.org - twinpanel filemanager for KDE
Shie Erlich
jonas, got a clue when you will be ready for a real release? that way
we can have a clue about what's our timetable.
in the meanwhile, we can just release the patched version.
shie
Jonas Bähr
> actully, both rafi and myself have not been productive either for many
> weeks now :-(
> jonas, got a clue when you will be ready for a real release? that way
> we can have a clue about what's our timetable.
Maybe this weekend... but I think that I'll have it working around mid
August...
Frank Schoolmeesters
Here is a complete description of the security problem for the release notes
and the announcement for the patched 1.70.1
Maybe "Secure password storage (>= Krusader-1.50)" can be explained
better though ;)
You can edit it to fit your needs.
Once 1.70.1 is released we should send an mail to <c...@mitre.org>
with the url of krusader-news that contains all details of the problem
(this mail ;) .
To create a CVE report (Common Vunerabilities and Exposures) ,
this way all distro's are warned automagically.
FYI the old url's for the security hole in the Popular Url's:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3856
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-3856
bye,
Frank
#######################################
Description
===========
The bookmark manager (krbookmarkhandler.cpp) of Krusader-1.50 until
Krusader-1.70.0
sometimes stores passwords for remote connections (ftp, sft, fish, smb, ...)
in cleartext in the bookmarks.xml file
(~/.kde/share/apps/krusader/krbookmarks.xml)
which might allow attackers to access other sites.
Krusader-1.70.1 solves this issue because passwords are not stored
anymore in krbookmarks.xml,
if you want to store passwords you need to use kwallet.
More Details
============
Insecure storing passwords in Krusader-1.50 until Krusader-1.70.0
------------------------------------------------------------------
When you bookmark something, a dialog will display something like:
"name: blah blah" "url: ftp://user...@ftp.test.com/"
Change the url to look like "ftp://username:pass...@ftp.test.com/"
and save the bookmark.
The next things will happen:
Passwords will never be shown again on screen not even in the bookmark manager,
but are saved as clear text in bookmarks.xml.
It is kept hidden inside Krusader, clicking the bookmark will login to
the requested site.
Backing up krbookmarks.xml will save your passwords.
Krusader-1.70.1
---------------
Since Krusader-1.70.1 paswords are not saved anymore in bookmarks.xml
and you need
to provide the password everytime you login.
Secure password storage (>= Krusader-1.50)
--------------------------------------------
Open the remote connection, click add bookmark, a dialog will open and
asking for username and password.
Supply them and click on the "save password" button.
The passwords and usernames will now be saved and managed SECURELY by
KDE's wallet
(make sure it is enabled by your distro).
The downside here, is that if you reinstall and don't backup your
passwords from the wallet as
well as Krusader's bookmark file, something will be lost.
References
===========
Affected versions
------------------
- Krusader-1.50-beta1, 1.50, 1.60.0-beta1, 1.60.0, , 1.70.0-beta1, 1.70.0-beta1
- Krusader-cvs from: Wed September 29 2004 until Wed July 12 2006.
Not affected versions
----------------------
Krusader-1.40 and lower, it uses an older Bookmark manager).
Announcement
-------------
http://groups.google.com/group/krusader-devel/browse_thread/thread/b247e1204b21fc1d/#
Patch in cvs
-------------
http://sourceforge.net/mailarchive/forum.php?thread_id=22855120&forum_id=34772
http://krusader.cvs.sourceforge.net/krusader/krusader_kde3/krusader/BookMan/kraddbookmarkdlg.cpp?view=log
http://krusader.cvs.sourceforge.net/krusader/krusader_kde3/krusader/BookMan/kraddbookmarkdlg.cpp?r1=1.7&r2=1.8
Advisory
--------
Install krusader-1.70.1 or higher or use krusader-cvs after July 13
2006.
( - *website url krusader-1.70.1* )
( - *krusader-news url* )
#########################################
Frank Schoolmeesters
Affected versions
------------------
- Krusader-1.50-beta1, 1.50, 1.60.0-beta1, 1.60.0, , 1.70.0-beta1, 1.70.0-beta1
typo: remove the last -beta1
bye,
Frank
Dirk Eschler
> Hi Dirk,
>
> Here is a complete description of the security problem for the release
> notes and the announcement for the patched 1.70.1
> Maybe "Secure password storage (>= Krusader-1.50)" can be explained
> better though ;)
> You can edit it to fit your needs.
>
> Once 1.70.1 is released we should send an mail to <c...@mitre.org>
> with the url of krusader-news that contains all details of the problem
> (this mail ;) .
> To create a CVE report (Common Vunerabilities and Exposures) ,
> this way all distro's are warned automagically.
> FYI the old url's for the security hole in the Popular Url's:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3856
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-3856
Thanks for writing this down. I've been brooding over a good way to announce
security issues. In general they have to be independent from release
announcements. Kinda liked the way Gentoo announces them at the forums, but
for "normal" news they are too long. Have to think about it ...
Dirk Eschler
> Thanks for writing this down. I've been brooding over a good way to
> announce security issues. In general they have to be independent from
> release announcements. Kinda liked the way Gentoo announces them at the
> forums, but for "normal" news they are too long. Have to think about it ...
Posted something to the news. It's only a draft, but has the important
information in it. Made it a sticky post for now, as these don't appear in
the news (long story). I'll continue tomorrow (update details etc.), am too
tired now ..
Good night,
Frank Schoolmeesters
Nice job!
Frank
Frank Schoolmeesters
It might take a few days until it's online at
http://cve.mitre.org/ and http://nvd.nist.gov/
(that what's happend last time at least)
bye,
Frank
Frank Schoolmeesters
the cve report is created (but it's currently not yet online).
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3816
bye,
Frank
======================================================
Name: CVE-2006-3816
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3816
Reference: CONFIRM:http://krusader.sourceforge.net/phpBB/viewtopic.php?p=7965
Reference: CONFIRM:http://groups.google.com/group/krusader-news/browse_thread/thread/ec719041ed4a1a14
Krusader 1.50-beta1 up to 1.70.0 stores passwords for remote
connections in cleartext in the bookmark file (krbookmarks.xml), which
allows attackers to steal passwords by obtaining the file.
======================================================