Qt Project Security Advisory ---------------------------- Title: QML XmlHttpRequest Insecure Redirection Risk Rating: Low Platforms: All Modules: QtQuick1, QtDeclarative Versions: 4.8.3 and previous Author: Richard J. Moore <r...@kde.org> Date: 17 November 2012
Overview -------- The XMLHttpRequest object in Qt is intended to offer similar behaviour to that in web browsers, though it intentionally does not enforce the same-orign policy. It has been determined that the implementation in Qt will allow redirection from http to file schemes which may allow an attacker performing a man-in-the-middle attack to cause QML applications to leak sensitive information. Details ------- If an attacker performs a MITM attack, then they have the ability to manipulate the data received by a QML application. By causing the HTTP response to be a redirect they can cause applications to unintentionally read local file by redirecting to a file: URL. The redirection handling is performed automatically by QML and cannot be disabled. Impact ------ An application may be tricked into loading data that it thinks is not sensitive (e.g. data loaded from a public web page) but which is in fact sensitive. The application may then process the information (eg. by posting it publicly) leading to an information disclosure flaw. Workaround ---------- None Solution -------- Upgrade to Qt 4.8.4 or apply the patch below: https://codereview.qt-project.org/#change,40034 Timeline -------- 13 November 2012 - Issue identified by Richard J. Moore (Westpoint Ltd) and Peter Hartmann (RIM) 14 November 2012 - Issue triaged by Qt security team. 17 November 2012 - Patches and test case developed by Richard J. Moore. 30 November 2012 - Advisory release coordinated with Qt 4.8.4 release. _______________________________________________ Announce mailing list annou...@qt-project.org http://lists.qt-project.org/mailman/listinfo/announce _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development