Security hole in kpf - KDE personal fileserver.

[Ajay R Ramjatan <simpleguy () simpleguy com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        SECURITY ADVISORY

Author:         Ajay R Ramjatan <simpleguy () simpleguy com>
Date:           11 October 2002
Software:       kpf - KDE Personal File Server (part of kdenetwork)
Vulnerable:     kpf of any KDE release between KDE 3.0.1 and KDE 3.0.3a
Fixed:          kpf from kdenetwork 3.0.4

INTRODUCTION
kpf allows a user to run a small http server and easily 'share' a directory on
a certain port. Using specially crafted URLs, its possible to view content
outside the specified root directory.

DESCRIPTION
A few days ago, I used the kpf applet to quickly 'share' a directory on
my system for a friend. When testing with a browser, I noticed that jpeg
files had an icon next to them. Curiosity compelled me to check the path of
those icons. It turned out the icons were being read from my own machine
and their URL was in the form

http://127.0.0.1:8001/?icon=/usr/local/kde/share/icons/hicolor \
/32x32/mimetypes/image.png

Using ?icon=/ in the URL shown above causes kpf to display the system's
root directory, and going from there, its posible to read any file which is 
readable by the user running kpf.

I immediately closed kpf and notified rikkus on #kde-devel@Openprojects
who acknowledged the hole and immediately fixed it.

SOLUTION
The KDE advisory of the problem is here:
http://www.kde.org/info/security/advisory-20021008-2.txt
It includes locations of where to get updated packages and patches.

THANKS TO
Rikkus @ OpenProjects for fixing the hole quickly.
Larry^Flynt @ DALnet. Without him asking me to 'share' some jpegs with him,
I would have never discovered that hole.


Ajay R Ramjatan
http://www.simpleguy.com

- -EOF

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)

iD8DBQE9pqZhajQ2fz6QGn8RAqqWAJ9hX09lucd8JJlZC2EaxAxbLpq+ZACgwT1L
oJ8F2zrpRAcoO3hLPHH+xH8=
=+g5X
-----END PGP SIGNATURE-----