'Re: Possible security problem in KHTML or KMail?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kfm-devel
Subject:    Re: Possible security problem in KHTML or KMail?
From:       Ingo =?iso-8859-1?q?Kl=F6cker?= <ingo.kloecker () epost ! de>
Date:       2001-10-10 19:14:59
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 10 October 2001 03:29, Malte Starostik wrote:
> Although external references are disabled, this "works" in a HTML
> mail:
>
> <html><head></head><body>
> <iframe width="200" height="300" src="/etc/passwd"></iframe>
> </body></html>
>
> (see the attachment to this mail for an example)
>
> I'm not sure if there are any possible security/privacy problems with
> this, and whether KHTML or KMail is to blame here. Therefore
> crossposting.

IMHO this is no security problem. The only security problem is allowing 
HTML messages to be rendered at all.

BTW, it also works with normal frames, e.g.

<html><head></head><frameset><frame src="/etc/passwd"></frameset>
<body></body></html>

The bad thing about this example is that right clicking in the message 
pane where the passwd file is displayed seems to cause a race condition 
(KMail->100% CPU). Killing KMail with killall -6 yields the following 
backtrace (kdelibs cvs from last weekend):

[New Thread 1024 (LWP 2255)]
0x413e4289 in wait4 () from /lib/libc.so.6
#0  0x413e4289 in wait4 () from /lib/libc.so.6
#1  0x41452828 in __DTOR_END__ () from /lib/libc.so.6
#2  0x40a93237 in waitpid () from /lib/libpthread.so.0
#3  0x409b6faa in KCrash::defaultCrashHandler (signal=6)
    at ../../../kdelibs/kdecore/kcrash.cpp:211
#4  0x40a90dbd in pthread_sighandler () from /lib/libpthread.so.0
#5  <signal handler called>
#6  0x4011127e in DOM::DocumentImpl::updateRendering (this=0x83f9378)
    at ../../../../kdelibs/khtml/xml/dom_docimpl.cpp:679
#7  0x4011727c in DOM::NodeImpl::dispatchGenericEvent (this=0x842a2b8, 
    evt=0x8506340) at ../../../../kdelibs/khtml/xml/dom_nodeimpl.cpp:555
#8  0x40116f16 in DOM::NodeImpl::dispatchEvent (this=0x842a2b8, 
evt=0x8506340, 
    exceptioncode=@0xbfffebe4)
    at ../../../../kdelibs/khtml/xml/dom_nodeimpl.cpp:483
#9  0x400d34bb in KHTMLView::dispatchMouseEvent (this=0x8352db0, 
eventId=5, 
    targetNode=0x842a2b8, cancelable=true, detail=1, _mouse=0x84fa110, 
    setUnder=true, mouseEventType=0)
    at ../../../kdelibs/khtml/khtmlview.cpp:1136
#10 0x400cec91 in KHTMLView::viewportMousePressEvent (this=0x8352db0, 
    _mouse=0x84fa110) at ../../../kdelibs/khtml/khtmlview.cpp:388
#11 0x40dcf302 in QScrollView::eventFilter (this=0x8352db0, 
obj=0x8354238, 
    e=0x84fa110) at widgets/qscrollview.cpp:1339
#12 0x40cf320e in QObject::activate_filters (this=0x8354238, 
e=0x84fa110)
    at kernel/qobject.cpp:765
#13 0x40cf3025 in QObject::event (this=0x8354238, e=0x84fa110)
    at kernel/qobject.cpp:642
#14 0x40d22e55 in QWidget::event (this=0x8354238, e=0x84fa110)
    at kernel/qwidget.cpp:4082
#15 0x40cacb68 in QApplication::internalNotify (this=0xbffff484, 
    receiver=0x8354238, e=0x84fa110) at kernel/qapplication.cpp:2125
#16 0x40cac1d3 in QApplication::notify (this=0xbffff484, 
receiver=0x848a6d8, 
    e=0xbffff094) at kernel/qapplication.cpp:1968
#17 0x4092b435 in KApplication::notify (this=0xbffff484, 
receiver=0x848a6d8, 
    event=0xbffff094) at ../../../kdelibs/kdecore/kapplication.cpp:537
#18 0x41041b14 in QApplication::sendSpontaneousEvent 
(receiver=0x848a6d8, 
    event=0xbffff094) at .moc/debug-mt/../../kernel/qapplication.h:451
#19 0x40c5c4c4 in QETWidget::translateMouseEvent (this=0x848a6d8, 
    event=0xbffff2fc) at kernel/qapplication_x11.cpp:4700
#20 0x40c593e0 in QApplication::x11ProcessEvent (this=0xbffff484, 
    event=0xbffff2fc) at kernel/qapplication_x11.cpp:3581
#21 0x40c57f09 in QApplication::processNextEvent (this=0xbffff484, 
    canWait=true) at kernel/qapplication_x11.cpp:3102
#22 0x40cae5d4 in QApplication::enter_loop (this=0xbffff484)
    at kernel/qapplication.cpp:2966
#23 0x40c57e0b in QApplication::exec (this=0xbffff484)
    at kernel/qapplication_x11.cpp:3058
#24 0x81aeea5 in main (argc=1, argv=0xbffff60c)
    at ../../../kdenetwork/kmail/main.cpp:261
#25 0x41357c6f in __libc_start_main () from /lib/libc.so.6

Regards,
Ingo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7xJ43GnR+RTDgudgRAgK4AJ9BlyVIC8+DR9t3Z3R3LtiF1po4yQCfV2Tw
a1XUHaj7OsopHA6jrCbPlBw=
=9lMP
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic