[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Bug#14253: kmail html security bug
From:       Daniel Naber <daniel.naber () t-online ! de>
Date:       2000-10-31 20:27:24
[Download RAW message or body]

On Tuesday 31 October 2000 20:34, TiloUlbrich@web.de wrote:

> So it is possible to exec programms which needn't arguments. E.g
> "/sbin/halt" if I work with "root" were big shit.

Nobody is supposed to run KDE as root.

> It was a good thing to disable the HTML-View for default.

It is, or wasn't it for you?

Anyway, thanks for the bug report. I will also increase severity, as it 
should be fixed. See below for how to reproduce (you need the file
of course. click on the link and it will start.)

To the khtml guys: how can we disable executing local URLs on click?

regards
 Daniel

-- 
Daniel Naber, Paul-Gerhardt-Str. 2, 33332 Gütersloh
Tel. 05241-59371, Mobil 0170-4819674

["localexec.html" (text/html)]

<html><head><title>test local /usr/bin/ls</title></head>
<body>

test: <a href="/usr/bin/xmms">/usr/bin/xmms</a>

</body>
</html>

>> Visit http://master.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<


[prev in list] [next in list] [prev in thread] [next in thread]