KDE FTP KIOslave: Command injection
Gentoo Linux Security Advisory
||GLSA 200501-18 / konqueror
||January 11, 2005
||January 12, 2005: 02
All supported architectures
The FTP KIOslave contains a bug allowing users to execute arbitrary FTP
KDE is a feature-rich graphical desktop environment for Linux and
Unix-like Operating Systems. KDE provided KIOslaves for many protocols
in the kdelibs package, one of them being FTP. These are used by KDE
applications such as Konqueror.
The FTP KIOslave fails to properly parse URL-encoded newline
An attacker could exploit this to execute arbitrary FTP commands on the
server and due to similiarities between the FTP and the SMTP protocol,
this vulnerability also allows an attacker to connect to a SMTP server
and issue arbitrary commands, for example sending an email.
There is no known workaround at this time.
All kdelibs users should upgrade to the latest version:
Code Listing 3.1: Resolution
# emerge --sync
# emerge --ask --oneshot --verbose kde-base/kdelibs