From kmail-devel  Tue Oct 31 20:41:40 2000
From: Michael Haeckel <Michael () Haeckel ! Net>
Date: Tue, 31 Oct 2000 20:41:40 +0000
To: kmail-devel
Subject: Bug#14253: kmail html security bug
X-MARC-Message: https://marc.info/?l=kmail-devel&m=97302543109443

On Tuesday, 31. October 2000 20:34, TiloUlbrich@web.de wrote:
>
> Hi
> I found a security bug KMail V 1.1.99 (KDE2.0).
>
> Was the HTML-View for messages activated, a HTML-link can show to a loc=
al
> program, and KMail exec it, if i click the link. KMail exec it WITHOUT =
a
> warning (see Konqi; he shows a little yes/no question).
>
> So it is possible to exec programms which needn't arguments. E.g
> "/sbin/halt" if I work with "root" were big shit.

Don't run KDE as root.

> It was a good thing to disable the HTML-View for default.

We have a big fat warning in our configuration dialog, that HTML mail is =
a=20
security risk.

> html code:
> <html>
> <body>
> ** SHUTDOWN ** (only root)<br>
> <a href=3D"/sbin/halt">
> run "/sbin/halt"
> </a>
>
> <p></p>
> <hr>
>
> ** KWRITE ** (all users)<br>
> <a href=3D"/opt/kde2/bin/kwrite">
> run "/opt/kde2/bin/kwrite"
> </a>

Sorry, can't reproduce. If I create a HTML mail like this, the link is bl=
ue,=20
but not clickable. If I use href=3D"file:/opt/kde2/bin/kwrite" the link i=
s at=20
least clickable, but nothing happens, although the file exists.
Can you send me a mail, that contains such a risk?

Regards,
Michael H=E4ckel

_______________________________________________
Kmail Developers mailing list
Kmail@master.kde.org
http://master.kde.org/mailman/listinfo/kmail