Launchpad.net

CVE 2004-1171

KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that are (1) manually entered by the user or (2) created by the SMB protocol handler, stores those credentials for plaintext in the user's .desktop file, which may be created with world-readable permissions, which could allow local users to obtain usernames and passwords for remote resources such as SMB shares.

Related bugs and status

CVE-2004-1171 (Candidate) is related to these bugs:

Bug #11114: CAN-2004-1171: plain text password exposure

Summary				In	Importance	Status
	11114	CAN-2004-1171: plain text password exposure		kdelibs (Ubuntu)	High	Fix Released
	11114	CAN-2004-1171: plain text password exposure		kdelibs (Debian)	Unknown	Fix Released

See the

CVE page on Mitre.org for more details.

References

FULLDISC: 20041129 Password Disc...
MISC: http://www.sec-consult...
GENTOO: GLSA-200412-16
MANDRAKE: MDKSA-2004:150
CERT-VN: VU#305294
CIAC: P-051
BID: 11866
OSVDB: 12248
SECTRACK: 1012471
SECUNIA: 13560
SECUNIA: 13477
SECUNIA: 13486
CONFIRM: http://www.kde.org/inf...
BUGTRAQ: 20041129 Password Disc...
BUGTRAQ: 20041209 KDE Security ...
XF: kde-smb-password-plain...