severity 305601 important stop On April 20, 2005 20:34, Geoff Crompton wrote: > In summary: > > A remote email message content spoofing vulnerability affects KDE > > KMail. This issue is due to a failure of the application to properly > > sanitize HTML email messages. > > An attacker may leverage this issue to spoof email content and various > > header fields of email messages. This may aid an attacker in > > conducting phishing and social engineering attacks by spoofing PGP > > keys as well as other critical information. > > securityfocus list 3.3.2 as vulnerable, which is currently in Sarge and > Sid. No idea if it would affect 2.2.2 which is in Woody. > > See KDE bug 96020.
Talking to upstream, it seems that the bug isn't quite as serious as the summary might suggest. Here's Dirk Mueller: --- It does affect kmail 3.4 the same way it affected all older versions. however, this proof of concept is pretty lame. it doesn't match the colors, the fonts or even the font sizes. of course you could theoretically tune for that. it doesn't have the usual link to the status popup though, and its clearly mentioned in several places that HTML rendering has phishing problems, and HTML rendering is *disabled* by *default* in kmail, and you get a pretty huge warning if you still enable it. anyway, the html bar also indicates that this is a spoofed message. maybe not in an obvious way. the only way we could mitigate this attack for real though is to load the actual content in a separate frame, so that it cannot paint over kmail specific HTML. This is a long term todo, and there are a few bits missing in KHTML in order to achieve that. so I'd either close it as wontfix or as duplicate, whatever you prefer. --- So it would appear that while KMail's behaviour makes phishing easier than it perhaps should be, in the real world far from a magical pass into the the user's confidence. Moreover, the only fix for the foreseeable future would be to disable HTML mail completely (it's already off by default and comes with a security warning). I don't believe that to be a reasonable course of action, as it would severely reduce KMail's usefulness for many users with only a minimal increase in theoretical security. Thus while this is an important problem, I don't feel it be in any sense release-critical. Cheers, Christopher Martin
pgpwU5fVxuzbw.pgp
Description: PGP signature