[Interest] libeay32.dll - The Ordinal 4369 could not be located
Till Oliver Knoll
till.oliver.knoll at gmail.com
Fri Jan 24 17:51:20 CET 2014
Am 24.01.2014 um 17:13 schrieb Richard Moore <rich at kde.org>:
> On 24 January 2014 14:34, Phil Hannent <phil at hannent.co.uk> wrote:
>> I have a version 1.0 that I can bundle next to the application and to
>> use that. It would certainly be helpful to have the ability to toggle
>> where QLibrary searches in a bid to remove potential security and
>> usability issues, however that's clearly a philosophical point of
>> view.
>
> You mean something like the following methods in QCoreApplication? :-)
>
> static void setLibraryPaths(const QStringList &);
Does that also affect where QWebkit searches for OpenSSL which is /not/ a Qt plugin?
I am afraid that this is not the case, since according to the OP the application tried to pickup corresponding OpenSSL libraries in some foreign program folders ("Tortoise", "CMake") which are /not/ locations where Qt plugins would be searched -> which leads to the assumption that QWebkit is /not/ taking into account the "Qt Plugin Path". And why should it? It is very unlikely than an OpenSSL library is to be found there ;)
So the fact that QWebKit scans some (all?) program directories is probably because those applications have registered their "bin" directories in the Windows Registry to be included in the PATH.
Still, that is rather scary that a plugin is searched in the PATH and indicates (my speculstion!) that QWebkit does /not/ restrict its search with /absolute/ paths which point to well known directories such as c:\Windows\WhateverIsConsideredSecureInHere\OpenSSL.dll. Doh!
By the way, the term to google is "DLL hijacking" or "DLL planting". There was quite some news about this in around 2010 because even MS Office was affected by those *programming errors*. I can't remember the details, but I think the result was that Microsoft added a registry key which would allow users to at least prevent DLLs to be loaded (with a relative path given like LoadLibrary("OpenSSL.dll") <- BAD!) from the current working directory (which would happen e.g. when opening a document from an USB stick or network share/WebDAV folder etc.)
But then again, I am having a hard time trying to imagine that "DLL planting" an OpenSSL library into (Q)Webkit must have gone unnoticed... (do I hear some nervous keyboard hacking somewhere? ;)
Cheers,
Oliver
More information about the Interest
mailing list