Users login

Create an account »


Users login

Home » Hacking News » KDE Security Advisory: kpf Directory traversal

KDE Security Advisory: kpf Directory traversal

by Nikola Strahija on October 12th, 2002 1. Systems affected: kpf of any KDE release between KDE 3.0.1 and KDE 3.0.3a.

2. Overview:

kpf is a file sharing utility that can be docked into the
KDE kicker bar. It uses a subset of the HTTP protocol internally
and acts much similiar to a webserver.

A feature added in KDE 3.0.1 accidently allowed retrieving any
file, not limited to the configured shared directory, if it is
readable by the user kpf runs under.

3. Impact:

Files not stored in the shared directory were remotely

4. Solution:

The vulnerable feature has been removed.

Apply the patch listed in section 5 to kdenetwork/kpf, or update
to KDE 3.0.4.

kdenetwork-3.0.4 can be downloaded from :
9f64e76cc6b922e1bf105099e3bf8205 kdenetwork-3.0.4.tar.bz2

5. Patch:

A patch for KDE 3.0.3 is available from :
2e8ddbb0d75cd63fd534ec001bb5a415 post-3.0.3-kdenetwork-kpf.diff

Version: GnuPG v1.0.7 (GNU/Linux)


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »