On Tuesday, 31. October 2000 20:34, TiloUlbrich@web.de wrote: > > Hi > I found a security bug KMail V 1.1.99 (KDE2.0). > > Was the HTML-View for messages activated, a HTML-link can show to a loc= al > program, and KMail exec it, if i click the link. KMail exec it WITHOUT = a > warning (see Konqi; he shows a little yes/no question). > > So it is possible to exec programms which needn't arguments. E.g > "/sbin/halt" if I work with "root" were big shit. Don't run KDE as root. > It was a good thing to disable the HTML-View for default. We have a big fat warning in our configuration dialog, that HTML mail is = a=20 security risk. > html code: > >
> ** SHUTDOWN ** (only root)