Bug #16325 “CAN-2005-0404: HTML content spoofing” : Bugs : kdepim package : Ubuntu

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-04-21:

#1

Message-Id: <email address hidden>
Date: Thu, 21 Apr 2005 10:34:51 +1000
From: "Geoff Crompton" <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: CAN-2005-0404: serious content spoofing vulnerability

Package: kmail
Severity: grave
Justification: user security hole

For more information see:
http://www.securityfocus.com/bid/13085

In summary:
> A remote email message content spoofing vulnerability affects KDE
> KMail. This issue is due to a failure of the application to properly
> sanitize HTML email messages.
> An attacker may leverage this issue to spoof email content and various
> header fields of email messages. This may aid an attacker in
> conducting phishing and social engineering attacks by spoofing PGP
> keys as well as other critical information.

securityfocus list 3.3.2 as vulnerable, which is currently in Sarge and
Sid. No idea if it would affect 2.2.2 which is in Woody.

See KDE bug 96020.

Work around is to disable HTML email.

-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Revision history for this message

Martin Pitt (pitti) wrote on 2005-05-20:

#2

For some reason, bugzilla did not import the rather important reply to the
Debian bug. I spoke with Jonathan Riddell a while ago, and this is by far not a
serious bug, so let's defer this a little.

Talking to upstream, it seems that the bug isn't quite as serious as the
summary might suggest.

Here's Dirk Mueller:

---
It does affect kmail 3.4 the same way it affected all older versions.
however, this proof of concept is pretty lame. it doesn't match the colors,
the fonts or even the font sizes. of course you could theoretically tune
for that.

it doesn't have the usual link to the status popup though, and its clearly
mentioned in several places that HTML rendering has phishing problems, and
HTML rendering is *disabled* by *default* in kmail, and you get a pretty
huge warning if you still enable it.

anyway, the html bar also indicates that this is a spoofed message. maybe
not in an obvious way.

the only way we could mitigate this attack for real though is to load the
actual content in a separate frame, so that it cannot paint over kmail
specific HTML. This is a long term todo, and there are a few bits missing
in KHTML in order to achieve that.

so I'd either close it as wontfix or as duplicate, whatever you prefer.
---

So it would appear that while KMail's behaviour makes phishing easier than
it perhaps should be, in the real world far from a magical pass into the
the user's confidence.

Moreover, the only fix for the foreseeable future would be to disable HTML
mail completely (it's already off by default and comes with a security
warning). I don't believe that to be a reasonable course of action, as it
would severely reduce KMail's usefulness for many users with only a minimal
increase in theoretical security.

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-09-22:

#3

Message-Id: <email address hidden>
Date: Sun, 24 Apr 2005 19:06:42 -0400
From: Christopher Martin <email address hidden>
To: <email address hidden>
Subject: add the relevant tags for "HTML Allows Spoofing of Emails Content"

tags 305601 sid sarge
forwarded 305601 http://bugs.kde.org/show_bug.cgi?id=96020
stop

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2005-09-22:

#4

Download full text (3.1 KiB)

Message-Id: <email address hidden>
Date: Sun, 24 Apr 2005 21:43:27 -0400
From: Christopher Martin <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#305601: CAN-2005-0404: serious content spoofing vulnerability

--nextPart5765832.kdKK4uUxLi
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

severity 305601 important
stop

On April 20, 2005 20:34, Geoff Crompton wrote:
> In summary:
> > A remote email message content spoofing vulnerability affects KDE
> > KMail. This issue is due to a failure of the application to properly
> > sanitize HTML email messages.
> > An attacker may leverage this issue to spoof email content and various
> > header fields of email messages. This may aid an attacker in
> > conducting phishing and social engineering attacks by spoofing PGP
> > keys as well as other critical information.
>
> securityfocus list 3.3.2 as vulnerable, which is currently in Sarge and
> Sid. No idea if it would affect 2.2.2 which is in Woody.
>
> See KDE bug 96020.

Talking to upstream, it seems that the bug isn't quite as serious as the=20
summary might suggest.

Here's Dirk Mueller:

=2D--
It does affect kmail 3.4 the same way it affected all older versions.=20
however, this proof of concept is pretty lame. it doesn't match the colors,=
=20
the fonts or even the font sizes. of course you could theoretically tune=20
for that.

it doesn't have the usual link to the status popup though, and its clearly
mentioned in several places that HTML rendering has phishing problems, and
HTML rendering is *disabled* by *default* in kmail, and you get a pretty=20
huge warning if you still enable it.

anyway, the html bar also indicates that this is a spoofed message. maybe
not in an obvious way.

the only way we could mitigate this attack for real though is to load the
actual content in a separate frame, so that it cannot paint over kmail
specific HTML. This is a long term todo, and there are a few bits missing
in KHTML in order to achieve that.

so I'd either close it as wontfix or as duplicate, whatever you prefer.
=2D--

So it would appear that while KMail's behaviour makes phishing easier than=
=20
it perhaps should be, in the real world far from a magical pass into the=20
the user's confidence.

Moreover, the only fix for the foreseeable future would be to disable HTML=
=20
mail completely (it's already off by default and comes with a security=20
warning). I don't believe that to be a reasonable course of action, as it=20
would severely reduce KMail's usefulness for many users with only a minimal=
=20
increase in theoretical security.

Thus while this is an important problem, I don't feel it be in any sense=20
release-critical.

Cheers,
Christopher Martin

--nextPart5765832.kdKK4uUxLi
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Signed by Christopher Martin <email address hidden>

iD8DBQBCbEtEU+gWW+vtsysRAm0eAKCCDtO0++UqvHxGFn2uBV3DA0hmdACglqRC
s02XvjeVT35ij52yIb+JBWY=
=DrkY
-----END PGP SIGNATURE-----

--nextPart5765832.kdKK4uUx...

Message-Id: <200504242143.32912.christopher.martin@utoronto.ca>
Date: Sun, 24 Apr 2005 21:43:27 -0400
From: Christopher Martin <christopher.martin@utoronto.ca>
To: 305601@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#305601: CAN-2005-0404: serious content spoofing vulnerability

--nextPart5765832.kdKK4uUxLi
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

severity 305601 important
stop

On April 20, 2005 20:34, Geoff Crompton wrote:
> In summary:
> > A remote email message content spoofing vulnerability affects KDE
> > KMail.  This issue is due to a failure of the application to properly
> > sanitize HTML email messages.
> > An attacker may leverage this issue to spoof email content and various
> > header fields of email messages.  This may aid an attacker in
> > conducting phishing and social engineering attacks by spoofing PGP
> > keys as well as other critical information.
>
> securityfocus list 3.3.2 as vulnerable, which is currently in Sarge and
> Sid. No idea if it would affect 2.2.2 which is in Woody.
>
> See KDE bug 96020.