Comment 0 for bug 1630700
Revision history for this message
| Clive Johnston (clivejo) wrote CVE - KMail - HTML injection in plain text viewer | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
KDE Project Security Advisory
=======
Title: KMail: HTML injection
Risk Rating: Important
CVE: #TODO
Platforms: All
Versions: kmail >= 4.4.0
Author: #TODO
Date: #TODO
Overview
========
Through a malicious URL that contained a quote character it
was possible to inject HTML code in KMail's plain text viewer.
Due to the parser used on the URL it was not possible to include
the equal sign (=) or a space into the injected HTML, which greatly
reduces the available HTML functionality. Although it is possible
to include an HTML comment indicator to hide content.
Impact
======
An unauthenticated attacker can send out mails with malicious content
that breaks KMail's plain text HTML escape logic. Due to the limitations
of the provided HTML in itself it might not be serious. But as a way
to break out of KMail's restricted Plain text mode this might open
the way to the exploitation of other vulnerabilities in the HTML viewer
code, which is disabled by default.
Workaround
==========
None.
Solution
========
For KDE Frameworks based releases of KMail apply the following patch to
kcoreaddons:
https:/
p=kcoreaddons.
For KDE 4 apply the following patch:
https:/
p=kdepimlibs.
Credits
=======
Thanks to Roland Tapken for reporting this issue, Andre Heinecke from
Intevation GmbH for analysing the problems and Laurent Montel for
fixing this issue.