mailing list archives
Security hole in kpf - KDE personal fileserver.
From: Ajay R Ramjatan <simpleguy () simpleguy com>
Date: Fri, 11 Oct 2002 14:22:19 +0400
-----BEGIN PGP SIGNED MESSAGE-----
Author: Ajay R Ramjatan <simpleguy () simpleguy com>
Date: 11 October 2002
Software: kpf - KDE Personal File Server (part of kdenetwork)
Vulnerable: kpf of any KDE release between KDE 3.0.1 and KDE 3.0.3a
Fixed: kpf from kdenetwork 3.0.4
kpf allows a user to run a small http server and easily 'share' a directory on
a certain port. Using specially crafted URLs, its possible to view content
outside the specified root directory.
A few days ago, I used the kpf applet to quickly 'share' a directory on
my system for a friend. When testing with a browser, I noticed that jpeg
files had an icon next to them. Curiosity compelled me to check the path of
those icons. It turned out the icons were being read from my own machine
and their URL was in the form
Using ?icon=/ in the URL shown above causes kpf to display the system's
root directory, and going from there, its posible to read any file which is
readable by the user running kpf.
I immediately closed kpf and notified rikkus on #kde-devel () Openprojects
who acknowledged the hole and immediately fixed it.
The KDE advisory of the problem is here:
It includes locations of where to get updated packages and patches.
Rikkus @ OpenProjects for fixing the hole quickly.
Larry^Flynt @ DALnet. Without him asking me to 'share' some jpegs with him,
I would have never discovered that hole.
Ajay R Ramjatan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
-----END PGP SIGNATURE-----
- Security hole in kpf - KDE personal fileserver. Ajay R Ramjatan (Oct 12)