[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-bugs-dist
Subject: Bug#14253: kmail html security bug
From: Michael Haeckel <Michael () Haeckel ! Net>
Date: 2000-10-31 20:41:40
[Download RAW message or body]
On Tuesday, 31. October 2000 20:34, TiloUlbrich@web.de wrote:
>
> Hi
> I found a security bug KMail V 1.1.99 (KDE2.0).
>
> Was the HTML-View for messages activated, a HTML-link can show to a local
> program, and KMail exec it, if i click the link. KMail exec it WITHOUT a
> warning (see Konqi; he shows a little yes/no question).
>
> So it is possible to exec programms which needn't arguments. E.g
> "/sbin/halt" if I work with "root" were big shit.
Don't run KDE as root.
> It was a good thing to disable the HTML-View for default.
We have a big fat warning in our configuration dialog, that HTML mail is a
security risk.
> html code:
> <html>
> <body>
> ** SHUTDOWN ** (only root)<br>
> <a href="/sbin/halt">
> run "/sbin/halt"
> </a>
>
> <p></p>
> <hr>
>
> ** KWRITE ** (all users)<br>
> <a href="/opt/kde2/bin/kwrite">
> run "/opt/kde2/bin/kwrite"
> </a>
Sorry, can't reproduce. If I create a HTML mail like this, the link is blue,
but not clickable. If I use href="file:/opt/kde2/bin/kwrite" the link is at
least clickable, but nothing happens, although the file exists.
Can you send me a mail, that contains such a risk?
Regards,
Michael Häckel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic