Bug#305601: CAN-2005-0404: serious content spoofing vulnerability

To: 305601@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Bug#305601: CAN-2005-0404: serious content spoofing vulnerability
From: Christopher Martin <christopher.martin@utoronto.ca>
Date: Sun, 24 Apr 2005 21:43:27 -0400
Message-id: <200504242143.32912.christopher.martin@utoronto.ca>
Reply-to: Christopher Martin <christopher.martin@utoronto.ca>, 305601@bugs.debian.org
In-reply-to: <20050421003455.D9BABC0014E0@sd01.mel.strategicdata.com.au>
References: <20050421003455.D9BABC0014E0@sd01.mel.strategicdata.com.au>

severity 305601 important
stop

On April 20, 2005 20:34, Geoff Crompton wrote:
> In summary:
> > A remote email message content spoofing vulnerability affects KDE
> > KMail.  This issue is due to a failure of the application to properly
> > sanitize HTML email messages.
> > An attacker may leverage this issue to spoof email content and various
> > header fields of email messages.  This may aid an attacker in
> > conducting phishing and social engineering attacks by spoofing PGP
> > keys as well as other critical information.
>
> securityfocus list 3.3.2 as vulnerable, which is currently in Sarge and
> Sid. No idea if it would affect 2.2.2 which is in Woody.
>
> See KDE bug 96020.

Talking to upstream, it seems that the bug isn't quite as serious as the 
summary might suggest.

Here's Dirk Mueller:

---
It does affect kmail 3.4 the same way it affected all older versions. 
however, this proof of concept is pretty lame. it doesn't match the colors, 
the fonts or even the font sizes. of course you could theoretically tune 
for that.

it doesn't have the usual link to the status popup though, and its clearly
mentioned in several places that HTML rendering has phishing problems, and
HTML rendering is *disabled* by *default* in kmail, and you get a pretty 
huge warning if you still enable it.

anyway, the html bar also indicates that this is a spoofed message. maybe
not in an obvious way.

the only way we could mitigate this attack for real though is to load the
actual content in a separate frame, so that it cannot paint over kmail
specific HTML. This is a long term todo, and there are a few bits missing
in KHTML in order to achieve that.

so I'd either close it as wontfix or as duplicate, whatever you prefer.
---

So it would appear that while KMail's behaviour makes phishing easier than 
it perhaps should be, in the real world far from a magical pass into the 
the user's confidence.

Moreover, the only fix for the foreseeable future would be to disable HTML 
mail completely (it's already off by default and comes with a security 
warning). I don't believe that to be a reasonable course of action, as it 
would severely reduce KMail's usefulness for many users with only a minimal 
increase in theoretical security.

Thus while this is an important problem, I don't feel it be in any sense 
release-critical.

Cheers,
Christopher Martin

Attachment: pgpDW81aFA6WY.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Processed: Re: Bug#305601: CAN-2005-0404: serious content spoofing vulnerability
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

References:
- Bug#305601: CAN-2005-0404: serious content spoofing vulnerability
  - From: "Geoff Crompton" <geoffc@strategicdata.com.au>

Prev by Date: Processed: Re: Bug#305601: CAN-2005-0404: serious content spoofing vulnerability
Next by Date: Bug#306215: ksysv: Expand runlevel listbox to fit window's width
Previous by thread: Bug#305601: CAN-2005-0404: serious content spoofing vulnerability
Next by thread: Processed: Re: Bug#305601: CAN-2005-0404: serious content spoofing vulnerability
Index(es):
- Date
- Thread