CAN-2005-0404: HTML content spoofing

Bug #16325 reported by Debian Bug Importer on 2005-04-21
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
KDE PIM
Fix Released
Medium
kdepim (Debian)
Fix Released
Unknown
kdepim (Ubuntu)
Medium
Jonathan Riddell

Bug Description

Automatically imported from Debian bug report #305601 http://bugs.debian.org/305601

CVE References

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Thu, 21 Apr 2005 10:34:51 +1000
From: "Geoff Crompton" <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: CAN-2005-0404: serious content spoofing vulnerability

Package: kmail
Severity: grave
Justification: user security hole

For more information see:
http://www.securityfocus.com/bid/13085

In summary:
> A remote email message content spoofing vulnerability affects KDE
> KMail. This issue is due to a failure of the application to properly
> sanitize HTML email messages.
> An attacker may leverage this issue to spoof email content and various
> header fields of email messages. This may aid an attacker in
> conducting phishing and social engineering attacks by spoofing PGP
> keys as well as other critical information.

securityfocus list 3.3.2 as vulnerable, which is currently in Sarge and
Sid. No idea if it would affect 2.2.2 which is in Woody.

See KDE bug 96020.

Work around is to disable HTML email.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Martin Pitt (pitti) wrote :

For some reason, bugzilla did not import the rather important reply to the
Debian bug. I spoke with Jonathan Riddell a while ago, and this is by far not a
serious bug, so let's defer this a little.

Talking to upstream, it seems that the bug isn't quite as serious as the
summary might suggest.

Here's Dirk Mueller:

---
It does affect kmail 3.4 the same way it affected all older versions.
however, this proof of concept is pretty lame. it doesn't match the colors,
the fonts or even the font sizes. of course you could theoretically tune
for that.

it doesn't have the usual link to the status popup though, and its clearly
mentioned in several places that HTML rendering has phishing problems, and
HTML rendering is *disabled* by *default* in kmail, and you get a pretty
huge warning if you still enable it.

anyway, the html bar also indicates that this is a spoofed message. maybe
not in an obvious way.

the only way we could mitigate this attack for real though is to load the
actual content in a separate frame, so that it cannot paint over kmail
specific HTML. This is a long term todo, and there are a few bits missing
in KHTML in order to achieve that.

so I'd either close it as wontfix or as duplicate, whatever you prefer.
---

So it would appear that while KMail's behaviour makes phishing easier than
it perhaps should be, in the real world far from a magical pass into the
the user's confidence.

Moreover, the only fix for the foreseeable future would be to disable HTML
mail completely (it's already off by default and comes with a security
warning). I don't believe that to be a reasonable course of action, as it
would severely reduce KMail's usefulness for many users with only a minimal
increase in theoretical security.

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sun, 24 Apr 2005 19:06:42 -0400
From: Christopher Martin <email address hidden>
To: <email address hidden>
Subject: add the relevant tags for "HTML Allows Spoofing of Emails Content"

tags 305601 sid sarge
forwarded 305601 http://bugs.kde.org/show_bug.cgi?id=96020
stop

Debian Bug Importer (debzilla) wrote :
Download full text (3.1 KiB)

Message-Id: <email address hidden>
Date: Sun, 24 Apr 2005 21:43:27 -0400
From: Christopher Martin <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#305601: CAN-2005-0404: serious content spoofing vulnerability

--nextPart5765832.kdKK4uUxLi
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

severity 305601 important
stop

On April 20, 2005 20:34, Geoff Crompton wrote:
> In summary:
> > A remote email message content spoofing vulnerability affects KDE
> > KMail. This issue is due to a failure of the application to properly
> > sanitize HTML email messages.
> > An attacker may leverage this issue to spoof email content and various
> > header fields of email messages. This may aid an attacker in
> > conducting phishing and social engineering attacks by spoofing PGP
> > keys as well as other critical information.
>
> securityfocus list 3.3.2 as vulnerable, which is currently in Sarge and
> Sid. No idea if it would affect 2.2.2 which is in Woody.
>
> See KDE bug 96020.

Talking to upstream, it seems that the bug isn't quite as serious as the=20
summary might suggest.

Here's Dirk Mueller:

=2D--
It does affect kmail 3.4 the same way it affected all older versions.=20
however, this proof of concept is pretty lame. it doesn't match the colors,=
=20
the fonts or even the font sizes. of course you could theoretically tune=20
for that.

it doesn't have the usual link to the status popup though, and its clearly
mentioned in several places that HTML rendering has phishing problems, and
HTML rendering is *disabled* by *default* in kmail, and you get a pretty=20
huge warning if you still enable it.

anyway, the html bar also indicates that this is a spoofed message. maybe
not in an obvious way.

the only way we could mitigate this attack for real though is to load the
actual content in a separate frame, so that it cannot paint over kmail
specific HTML. This is a long term todo, and there are a few bits missing
in KHTML in order to achieve that.

so I'd either close it as wontfix or as duplicate, whatever you prefer.
=2D--

So it would appear that while KMail's behaviour makes phishing easier than=
=20
it perhaps should be, in the real world far from a magical pass into the=20
the user's confidence.

Moreover, the only fix for the foreseeable future would be to disable HTML=
=20
mail completely (it's already off by default and comes with a security=20
warning). I don't believe that to be a reasonable course of action, as it=20
would severely reduce KMail's usefulness for many users with only a minimal=
=20
increase in theoretical security.

Thus while this is an important problem, I don't feel it be in any sense=20
release-critical.

Cheers,
Christopher Martin

--nextPart5765832.kdKK4uUxLi
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Signed by Christopher Martin <email address hidden>

iD8DBQBCbEtEU+gWW+vtsysRAm0eAKCCDtO0++UqvHxGFn2uBV3DA0hmdACglqRC
s02XvjeVT35ij52yIb+JBWY=
=DrkY
-----END PGP SIGNATURE-----

--nextPart5765832.kdKK4uUx...

Read more...

Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Sat, 9 Jul 2005 17:57:05 +0300
From: Joey Hess <email address hidden>
To: <email address hidden>
Subject: tagging 305601

# Automatically generated email from bts, devscripts version 2.8.15
tags 305601 etch

Paul Dufresne (paulduf) wrote :

Just marking as confirmed, since most people seems to agree that it should eventually be fixed, even if the solution is unclear.

Changed in kdepim:
status: Unconfirmed → Confirmed
Richard Johnson (nixternal) wrote :

Is there any status on this? It has been 8 months since Paul marked this as confirmed.

Jonathan Jesse (jjesse) wrote :

Following up to Rich's last request on 2007-06-08, can we close/resolve this bug? Didn't know how to deal with it as it is/was a security problem?

Thanks,

Jonathan

Fabio Alessandro Locati (f4l3) wrote :

well guys, in the config there is written that activing the HTML mails you can put your computer in a danger situation... I don't see the problem of the bug. Maybe the only thing is that kubuntu have to deactive HTML emails by default...

Jonathan Thomas (echidnaman) wrote :

This is what KMail does in later versions.

Changed in kdepim:
status: Confirmed → Fix Released
Changed in kdepim:
status: New → Fix Released
Changed in kdepim:
importance: Unknown → Medium
Changed in kdepim (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.