[Announce] Qt Project Security Advisory: QML XmlHttpRequest Insecure Redirection

List for announcements regarding Qt releases and development announce at qt-project.org
Fri Nov 30 11:44:08 CET 2012

Qt Project Security Advisory

Title:        QML XmlHttpRequest Insecure Redirection
Risk Rating:  Low
Platforms:    All
Modules:      QtQuick1, QtDeclarative
Versions:     4.8.3 and previous
Author:       Richard J. Moore <rich at kde.org>
Date:         17 November 2012


The XMLHttpRequest object in Qt is intended to offer similar behaviour to that
in web browsers, though it intentionally does not enforce the same-orign
policy. It has been determined that the implementation in Qt will allow
redirection from http to file schemes which may allow an attacker performing a
man-in-the-middle attack to cause QML applications to leak sensitive


If an attacker performs a MITM attack, then they have the ability to
manipulate the data received by a QML application. By causing the HTTP
response to be a redirect they can cause applications to unintentionally read
local file by redirecting to a file: URL. The redirection handling is
performed automatically by QML and cannot be disabled.


An application may be tricked into loading data that it thinks is not
sensitive (e.g. data loaded from a public web page) but which is in fact
sensitive. The application may then process the information (eg. by posting it
publicly) leading to an information disclosure flaw.




Upgrade to Qt 4.8.4 or apply the patch below:



13 November 2012 - Issue identified by Richard J. Moore (Westpoint Ltd) and
                   Peter Hartmann (RIM)
14 November 2012 - Issue triaged by Qt security team.
17 November 2012 - Patches and test case developed by Richard J. Moore.
30 November 2012 - Advisory release coordinated with Qt 4.8.4 release.

More information about the Announce mailing list