Skip to content

CVE-2018-10895: Remote code execution due to CSRF on the qute://settings page #4060

New issue
New issue
Closed
Closed
CVE-2018-10895: Remote code execution due to CSRF on the qute://settings page#4060
Labels
bug: behaviorSomething doesn't work as intended, but doesn't crash.component: configIssues related to configuration.priority: 0 - highIssues which are currently the primary focus.
@The-Compiler

Description

@The-Compiler
The-Compiler
opened on Jul 11, 2018

Description

Due to a CSRF vulnerability affecting the qute://settings page, it was
possible for websites to modify qutebrowser settings. Via settings like
editor.command, this possibly allowed websites to execute arbitrary code.

This issue has been assigned CVE-2018-10895.

Affected versions

The issue was introduced in v1.0.0, as part of commit ffc29ee.

It was fixed in the v1.4.1 release, in commit 43e58ac.

All releases between v1.0.0 and v1.4.0 (inclusive) are affected.
Backported patches are available, but no additional releases are planned:

v1.1.x: ff686ff (patch)
v1.2.x: c3361c3 (patch)
v1.3.x: c2ff32d (patch)
v1.4.x: 22148ce (patch)
master: 43e58ac (patch)

Timeline

2018-07-09: I was made aware of the original issue privately (initially
believed by the reporter to only be a DoS issue), developed a fix and contacted
the distros Openwall mailinglist to organize a disclosure date to give
distributions time to coordinate releasing of a fix.

2018-07-10: Slightly updated patch sent to the distros mailinglist.

2018-07-11: Public disclosure.

Mitigation

Please upgrade to v1.4.1 or apply the patches above.

Note that disabling loading of autoconfig.yml is not a suitable remedy, since
settings are still applied until the next restart.

As a workaround, it's possible to patch out the vulnerable code via a
config.py file:

from qutebrowser.browser import qutescheme
qutescheme._qute_settings_set = lambda url: ('text/html', '')

While there is no known exploit for this in the wild, users are advised to
check their autoconfig.yml file (located in the config folder shown in
:version) for any unwanted modifications.

Credits

Thanks to:

  • toofar for reporting the initial issue.
  • Allan Sandfeld Jensen (carewolf) and Jüri Valdmann (juvaldma) of The Qt
    Company for their assistance with triaging and fixing the issue.
  • toofar and Jay Kamat (jgkamat) for reviewing the patch.
  • Morten Linderud (Foxboron) for suggestions on how to disclose this
    properly.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug: behaviorSomething doesn't work as intended, but doesn't crash.component: configIssues related to configuration.priority: 0 - highIssues which are currently the primary focus.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions