CVE-2004-0870 in Konqueror
Summary
by MITRE
KDE Konqueror does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection."
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/21/2018
The vulnerability described in CVE-2004-0870 represents a critical security flaw in KDE Konqueror web browser that violates fundamental principles of web security and cookie management. This issue specifically affects how the browser handles cookie transmission across different security contexts, creating a dangerous overlap between insecure HTTP and secure HTTPS channels. The flaw allows cookies set over HTTP to be inadvertently transmitted to HTTPS destinations within the same domain, effectively breaking the security boundary that should separate these two distinct communication channels.
The technical implementation of this vulnerability stems from Konqueror's failure to properly enforce cookie security policies when cookies are set across different protocols. When a cookie is set over HTTP, it typically should not be automatically included in HTTPS requests to the same domain due to the inherent security implications. However, Konqueror's cookie handling mechanism does not adequately distinguish between these security contexts, permitting the leakage of sensitive authentication tokens and session data from insecure to secure channels. This behavior directly violates the cookie security attributes defined in RFC 2109 and RFC 2965, which specify that cookies with the secure flag should only be transmitted over encrypted connections.
The operational impact of this vulnerability is severe and directly enables several attack vectors that can compromise user sessions and sensitive data. Attackers can exploit this flaw by setting malicious cookies over HTTP on a target domain and then using these cookies to impersonate users on secure HTTPS sites within the same domain. This cross-security boundary cookie injection allows for session hijacking, credential theft, and unauthorized access to protected resources. The vulnerability is particularly dangerous because it operates transparently without user intervention, making it difficult to detect and prevent through standard security measures.
From a cybersecurity perspective, this vulnerability maps directly to CWE-200 (Information Exposure) and CWE-312 (Sensitive Data Exposure) categories, as it enables unauthorized access to sensitive session data. The attack pattern aligns with ATT&CK technique T1566.001 (Phishing: Spearphishing Attachment) and T1531 (Account Access Removal) when considering how attackers might leverage stolen cookies to maintain persistent access to user accounts. The vulnerability also demonstrates a failure in the principle of least privilege, as the browser is not properly enforcing the security boundaries that should separate different communication protocols.
Mitigation strategies for this vulnerability include implementing proper cookie security policies that enforce protocol separation, ensuring that cookies set over HTTP are never transmitted to HTTPS destinations, and implementing strict cookie validation mechanisms. Browser vendors should enforce the secure flag on cookies that should only be transmitted over encrypted channels and implement comprehensive cross-domain cookie management. Additionally, users should be educated about the risks of browsing insecure websites while logged into secure services, and organizations should implement network monitoring to detect unusual cookie transmission patterns. The fix requires fundamental changes to the cookie handling engine to properly enforce security boundaries between HTTP and HTTPS communications, ensuring that cookies are only transmitted according to their defined security attributes and protocol contexts.