[TriLUG] konqueror security

Craig Duncan craigduncan at nc.rr.com
Tue Feb 5 11:35:25 EST 2002 

What happens, when you log out of KDE and log back in? If this fixes the 
problem, then it would appear that konqueror starts and stops with the 
loading/unloading of KDE, unlike mozilla. In which case, this is not a 
security bug in konqueror, but a security issue with the sites authentication 
design.



On Tuesday 05 February 2002 10:53 am, you wrote:
> Has anyone else experienced using konqueror to access a secure website and
> then been unable to logout of the site?
>
> When I go to my webhost control website, I have to login.  When I am
> finished, I have to close the brower.  That's lame, I know, but that's how
> it is according to the webhost support team.  With Mozilla this works fine.
> With Konqueror I go right back to the secure area I left when I bring up a
> new browser session and access the website again.
>
> I tried turning off cache and purging cache.  I killed all the cookies.  I
> rm'd ~/.kde/share/config/konq_history.  I rm'd
> ~/.kde/share/konqueror/konq_history. Nothing worked to solve this problem.
>
> To make matters worse, the Go-Most Often Visited menu seems impossible to
> clean out.  As a result, any one can click on the links in the list and go
> straight the secure areas that cannot be logged out of.  I grepped on the
> strings displayed in the menu and never found anything.  I did:
>
> cd ~
> grep -r "menu string here" ./*
>
> Any ideas on how to clean out the the Go-Most Often  Visited list?
>
> I found that others on the web have discovered this trait in Konqueror and
> described it as Konqueror refusing to release security resources.  They
> also discovered that by logging out, the security resources would be
> released, thus forcing a login to the secure website.  I checked out this
> report and verified it as being true.  The Go-Most Often Visited menu was
> not cleared.
>
> This behavior is unsettling to me.  If I use Konqueror on a machine that
> does not belong to me to access my private accounts, I am left wondering if
> I can eliminate remnants of information about my accounts from that
> machine.  Until I learn more, I will not use any machine that I cannot
> control 100% to access private accounts.  Is this a rational conclusion?
>
> Mke M.
> _______________________________________________
> TriLUG mailing list
> http://www.trilug.org/mailman/listinfo/trilug

More information about the TriLUG mailing list