[prev in list] [next in list] [prev in thread] [next in thread]
List: kfm-devel
Subject: Re: Possible security problem in KHTML or KMail?
From: Ingo =?iso-8859-1?q?Kl=F6cker?= <ingo.kloecker () epost ! de>
Date: 2001-10-10 19:14:59
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wednesday 10 October 2001 03:29, Malte Starostik wrote:
> Although external references are disabled, this "works" in a HTML
> mail:
>
> <html><head></head><body>
> <iframe width="200" height="300" src="/etc/passwd"></iframe>
> </body></html>
>
> (see the attachment to this mail for an example)
>
> I'm not sure if there are any possible security/privacy problems with
> this, and whether KHTML or KMail is to blame here. Therefore
> crossposting.
IMHO this is no security problem. The only security problem is allowing
HTML messages to be rendered at all.
BTW, it also works with normal frames, e.g.
<html><head></head><frameset><frame src="/etc/passwd"></frameset>
<body></body></html>
The bad thing about this example is that right clicking in the message
pane where the passwd file is displayed seems to cause a race condition
(KMail->100% CPU). Killing KMail with killall -6 yields the following
backtrace (kdelibs cvs from last weekend):
[New Thread 1024 (LWP 2255)]
0x413e4289 in wait4 () from /lib/libc.so.6
#0 0x413e4289 in wait4 () from /lib/libc.so.6
#1 0x41452828 in __DTOR_END__ () from /lib/libc.so.6
#2 0x40a93237 in waitpid () from /lib/libpthread.so.0
#3 0x409b6faa in KCrash::defaultCrashHandler (signal=6)
at ../../../kdelibs/kdecore/kcrash.cpp:211
#4 0x40a90dbd in pthread_sighandler () from /lib/libpthread.so.0
#5 <signal handler called>
#6 0x4011127e in DOM::DocumentImpl::updateRendering (this=0x83f9378)
at ../../../../kdelibs/khtml/xml/dom_docimpl.cpp:679
#7 0x4011727c in DOM::NodeImpl::dispatchGenericEvent (this=0x842a2b8,
evt=0x8506340) at ../../../../kdelibs/khtml/xml/dom_nodeimpl.cpp:555
#8 0x40116f16 in DOM::NodeImpl::dispatchEvent (this=0x842a2b8,
evt=0x8506340,
exceptioncode=@0xbfffebe4)
at ../../../../kdelibs/khtml/xml/dom_nodeimpl.cpp:483
#9 0x400d34bb in KHTMLView::dispatchMouseEvent (this=0x8352db0,
eventId=5,
targetNode=0x842a2b8, cancelable=true, detail=1, _mouse=0x84fa110,
setUnder=true, mouseEventType=0)
at ../../../kdelibs/khtml/khtmlview.cpp:1136
#10 0x400cec91 in KHTMLView::viewportMousePressEvent (this=0x8352db0,
_mouse=0x84fa110) at ../../../kdelibs/khtml/khtmlview.cpp:388
#11 0x40dcf302 in QScrollView::eventFilter (this=0x8352db0,
obj=0x8354238,
e=0x84fa110) at widgets/qscrollview.cpp:1339
#12 0x40cf320e in QObject::activate_filters (this=0x8354238,
e=0x84fa110)
at kernel/qobject.cpp:765
#13 0x40cf3025 in QObject::event (this=0x8354238, e=0x84fa110)
at kernel/qobject.cpp:642
#14 0x40d22e55 in QWidget::event (this=0x8354238, e=0x84fa110)
at kernel/qwidget.cpp:4082
#15 0x40cacb68 in QApplication::internalNotify (this=0xbffff484,
receiver=0x8354238, e=0x84fa110) at kernel/qapplication.cpp:2125
#16 0x40cac1d3 in QApplication::notify (this=0xbffff484,
receiver=0x848a6d8,
e=0xbffff094) at kernel/qapplication.cpp:1968
#17 0x4092b435 in KApplication::notify (this=0xbffff484,
receiver=0x848a6d8,
event=0xbffff094) at ../../../kdelibs/kdecore/kapplication.cpp:537
#18 0x41041b14 in QApplication::sendSpontaneousEvent
(receiver=0x848a6d8,
event=0xbffff094) at .moc/debug-mt/../../kernel/qapplication.h:451
#19 0x40c5c4c4 in QETWidget::translateMouseEvent (this=0x848a6d8,
event=0xbffff2fc) at kernel/qapplication_x11.cpp:4700
#20 0x40c593e0 in QApplication::x11ProcessEvent (this=0xbffff484,
event=0xbffff2fc) at kernel/qapplication_x11.cpp:3581
#21 0x40c57f09 in QApplication::processNextEvent (this=0xbffff484,
canWait=true) at kernel/qapplication_x11.cpp:3102
#22 0x40cae5d4 in QApplication::enter_loop (this=0xbffff484)
at kernel/qapplication.cpp:2966
#23 0x40c57e0b in QApplication::exec (this=0xbffff484)
at kernel/qapplication_x11.cpp:3058
#24 0x81aeea5 in main (argc=1, argv=0xbffff60c)
at ../../../kdenetwork/kmail/main.cpp:261
#25 0x41357c6f in __libc_start_main () from /lib/libc.so.6
Regards,
Ingo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7xJ43GnR+RTDgudgRAgK4AJ9BlyVIC8+DR9t3Z3R3LtiF1po4yQCfV2Tw
a1XUHaj7OsopHA6jrCbPlBw=
=9lMP
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic