mailing list archives
CVE Request -- Qt (x < 4.8.4): QML XmlHttpRequest insecure redirection
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 4 Dec 2012 09:58:26 -0500 (EST)
Hello Kurt, Steve, vendors,
Qt upstream has released 4.8.4 version correcting one security
An information disclosure flaw was found in the way XMLHttpRequest
object implementation in Qt, a software toolkit for developing
applications, performed management of certain HTTP responses.
Previous implementation allowed redirection from HTTP protocol
to file schemas. Also the redirection handling was performed
automatically by QML application and could not be disabled.
A remote attacker could use this flaw to cause QML application
in an unauthorized way to read local file content by causing
the HTTP response for the application to be a redirect to
a file: URL (file scheme).
Relevant upstream patch:
Could you allocate a CVE id for this?
Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team
- CVE Request -- Qt (x < 4.8.4): QML XmlHttpRequest insecure redirection Jan Lieskovsky (Dec 04)