[Announce] Qt Project Security Advisory: QML XmlHttpRequest Insecure Redirection
List for announcements regarding Qt releases and development
announce at qt-project.org
Fri Nov 30 11:44:08 CET 2012
Qt Project Security Advisory
----------------------------
Title: QML XmlHttpRequest Insecure Redirection
Risk Rating: Low
Platforms: All
Modules: QtQuick1, QtDeclarative
Versions: 4.8.3 and previous
Author: Richard J. Moore <rich at kde.org>
Date: 17 November 2012
Overview
--------
The XMLHttpRequest object in Qt is intended to offer similar behaviour to that
in web browsers, though it intentionally does not enforce the same-orign
policy. It has been determined that the implementation in Qt will allow
redirection from http to file schemes which may allow an attacker performing a
man-in-the-middle attack to cause QML applications to leak sensitive
information.
Details
-------
If an attacker performs a MITM attack, then they have the ability to
manipulate the data received by a QML application. By causing the HTTP
response to be a redirect they can cause applications to unintentionally read
local file by redirecting to a file: URL. The redirection handling is
performed automatically by QML and cannot be disabled.
Impact
------
An application may be tricked into loading data that it thinks is not
sensitive (e.g. data loaded from a public web page) but which is in fact
sensitive. The application may then process the information (eg. by posting it
publicly) leading to an information disclosure flaw.
Workaround
----------
None
Solution
--------
Upgrade to Qt 4.8.4 or apply the patch below:
https://codereview.qt-project.org/#change,40034
Timeline
--------
13 November 2012 - Issue identified by Richard J. Moore (Westpoint Ltd) and
Peter Hartmann (RIM)
14 November 2012 - Issue triaged by Qt security team.
17 November 2012 - Patches and test case developed by Richard J. Moore.
30 November 2012 - Advisory release coordinated with Qt 4.8.4 release.
More information about the Announce
mailing list