[Announce] Qt Project Security Advisory: QML XmlHttpRequest Insecure Redirection

List for announcements regarding Qt releases and development announce at qt-project.org
Fri Nov 30 11:44:08 CET 2012


Qt Project Security Advisory
----------------------------

Title:        QML XmlHttpRequest Insecure Redirection
Risk Rating:  Low
Platforms:    All
Modules:      QtQuick1, QtDeclarative
Versions:     4.8.3 and previous
Author:       Richard J. Moore <rich at kde.org>
Date:         17 November 2012

Overview
--------

The XMLHttpRequest object in Qt is intended to offer similar behaviour to that
in web browsers, though it intentionally does not enforce the same-orign
policy. It has been determined that the implementation in Qt will allow
redirection from http to file schemes which may allow an attacker performing a
man-in-the-middle attack to cause QML applications to leak sensitive
information.

Details
-------

If an attacker performs a MITM attack, then they have the ability to
manipulate the data received by a QML application. By causing the HTTP
response to be a redirect they can cause applications to unintentionally read
local file by redirecting to a file: URL. The redirection handling is
performed automatically by QML and cannot be disabled.

Impact
------

An application may be tricked into loading data that it thinks is not
sensitive (e.g. data loaded from a public web page) but which is in fact
sensitive. The application may then process the information (eg. by posting it
publicly) leading to an information disclosure flaw.

Workaround
----------

None

Solution
--------

Upgrade to Qt 4.8.4 or apply the patch below:

https://codereview.qt-project.org/#change,40034

Timeline
--------

13 November 2012 - Issue identified by Richard J. Moore (Westpoint Ltd) and
                   Peter Hartmann (RIM)
14 November 2012 - Issue triaged by Qt security team.
17 November 2012 - Patches and test case developed by Richard J. Moore.
30 November 2012 - Advisory release coordinated with Qt 4.8.4 release.


More information about the Announce mailing list