[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-bugs-dist
Subject:    Bug#14253: kmail html security bug
From:       Michael Haeckel <Michael () Haeckel ! Net>
Date:       2000-10-31 20:41:40
[Download RAW message or body]

On Tuesday, 31. October 2000 20:34, TiloUlbrich@web.de wrote:
>
> Hi
> I found a security bug KMail V 1.1.99 (KDE2.0).
>
> Was the HTML-View for messages activated, a HTML-link can show to a local
> program, and KMail exec it, if i click the link. KMail exec it WITHOUT a
> warning (see Konqi; he shows a little yes/no question).
>
> So it is possible to exec programms which needn't arguments. E.g
> "/sbin/halt" if I work with "root" were big shit.

Don't run KDE as root.

> It was a good thing to disable the HTML-View for default.

We have a big fat warning in our configuration dialog, that HTML mail is a 
security risk.

> html code:
> <html>
> <body>
> ** SHUTDOWN ** (only root)<br>
> <a href="/sbin/halt">
> run "/sbin/halt"
> </a>
>
> <p></p>
> <hr>
>
> ** KWRITE ** (all users)<br>
> <a href="/opt/kde2/bin/kwrite">
> run "/opt/kde2/bin/kwrite"
> </a>

Sorry, can't reproduce. If I create a HTML mail like this, the link is blue, 
but not clickable. If I use href="file:/opt/kde2/bin/kwrite" the link is at 
least clickable, but nothing happens, although the file exists.
Can you send me a mail, that contains such a risk?

Regards,
Michael Häckel

[prev in list] [next in list] [prev in thread] [next in thread]