COMMAND

	kpf - KDE personal fileserver - permits remote file access

SYSTEMS AFFECTED

	kpf of any KDE release between KDE 3.0.1 and KDE 3.0.3a

PROBLEM

	Ajay R Ramjatan [simpleguy@simpleguy.com] says :
	

	kpf allows a user to run a  small  http  server  and  easily  'share'  a
	directory on a certain port. Using specially crafted URLs, its  possible
	to view content outside the specified root directory.
	

	A few days ago, I used the kpf applet to quickly 'share' a directory  on
	my system for a friend. When testing with  a  browser,  I  noticed  that
	jpeg files had an icon next to them. Curiosity  compelled  me  to  check
	the path of those icons. It turned out the icons were  being  read  from
	my own machine and their URL was in the form
	

	http://127.0.0.1:8001/?icon=/usr/local/kde/share/icons/hicolor/32x32/mimetypes/image.png

	

	Using ?icon=/ in the URL shown above causes kpf to display the  system's
	root directory, and going from there,  its  posible  to  read  any  file
	which is readable by the user running kpf.
	

	I immediately closed kpf and notified rikkus on  #kde-devel@Openprojects
	who acknowledged the hole and immediately fixed it.

SOLUTION

	The KDE advisory of the problem is here:
	

	 http://www.kde.org/info/security/advisory-20021008-2.txt

	

	It includes locations of where to get updated packages and patches,  see
	kpf from kdenetwork 3.0.4.