AOH :: Linux :: General

AOH :: Linux :: General :: LNX5933.HTM
KDE quoted shell command can be remotely exploited

14th Jan 2003 [SBWID-5933]

COMMAND

	KDE quoted shell command can be remotely exploited

SYSTEMS AFFECTED

	KDE 2.x up to and including KDE 3.0.5

PROBLEM

	In Mandrake Linux Security Team  [security@linux-mandrake.com]  advisory
	[MDKSA-2003:004] :
	
	KDE fails to properly quote parameters of  instructions  passed  to  the
	shell  for  execution.  These  parameters  may  contain  data  such   as
	filenames, URLs, email address, and so forth; this data may be  provided
	remotely  to  a  victim  via  email,  web  pages,  files  on  a  network
	filesystem, or other untrusted sources.
	 
	It is possible for arbitrary command execution on  a  vulnerable  system
	with the privileges of the victim's account.

SOLUTION

	Get version 3.0.5a, see
	
	 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1393
	 http://www.kde.org/info/security/advisory-20021220-1.txt

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.