305169 – XSS Injection in KAddressbook

Bug 305169 - XSS Injection in KAddressbook

Summary: XSS Injection in KAddressbook

Status:	RESOLVED FIXED

Alias:	None

Product:	kaddressbook
Classification:	Applications
Component:	general (show other bugs)
Version:	unspecified
Platform:	Arch Linux Linux

Importance:	NOR major
Target Milestone:	---
Assignee:	kdepim bugs

URL:	http://www.securem.eu/test.vcf
Keywords:

Depends on:
Blocks:

Reported:	2012-08-14 22:58 UTC by Mickaël
Modified:	2012-10-13 09:58 UTC (History)
CC List:	2 users (show)

See Also:
Latest Commit:	http://commits.kde.org/kdepimlibs/d5bb7c20544170e06ecaaeb21c747c3b8905fc63
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Mickaël 2012-08-14 22:58:13 UTC

There is a security hole in the 4.9 version of KAddressBook, more precisely a XSS Injection is possible through a malicious vcard file, when imported.
Try to import the vcard http://www.securem.eu/test.vcf for example.

Additionally, the label for the TEL field is not displayed on my screen (maybe a missing French translation ?). What about yours ?

Reproducible: Always

Steps to Reproduce:
1. Download the file http://www.securem.eu/test.vcf
2. Import it into KAddressBook
3. Show the corresponding profile "Mickaël Bergöm"
Actual Results:  
HTML code in plaintext fields is evaluated and displayed as it

Expected Results:  
The tags <h1> should be escaped and the "<" / ">" characters replaced by HTML Entities...

Actually this hole will not compromise your computer as Javascript code seems to be disabled / iframes too, for example.
But it still allows a malicious file displaying wrong things, or directing you to another website (URL field with a link to a malware website : <a href="booh.com">good.com</a>)

Comment 1 Laurent Montel 2012-08-15 10:05:46 UTC

Which application did you use to create this vcard (to understand how you create TEL field ?)

Comment 2 Laurent Montel 2012-08-15 10:07:56 UTC

this application missed to add type of phone. So it's normal.
But perhaps we need to add default type.
But need to know which apps do it.

Comment 3 Laurent Montel 2012-08-15 10:09:40 UTC

in thunderbird TEL field is not imported because type is missing too

Comment 4 Mickaël 2012-08-15 13:34:10 UTC

Oops, my fault for the TEL field, it was a hand-made vcard and I only read the Wikipedia page, I didn't know that the TYPE item was mandatory (isn't it ?)

Thank you for solving this problem, however the security report is still open.

Comment 5 Laurent Montel 2012-08-15 14:22:46 UTC

Yes I saw problem with html
Will look at it.

Comment 6 Tobias Koenig 2012-10-13 09:58:20 UTC

Git commit d5bb7c20544170e06ecaaeb21c747c3b8905fc63 by Tobias Koenig.
Committed on 13/10/2012 at 11:56.
Pushed by tokoe into branch 'master'.

Fix XSS issue in the contact viewer

This was not really a security risk, since the used QTextBrowser has not way to access
the network automatically, but fixing it right now makes it future-proof.

M  +13   -12   akonadi/contact/standardcontactformatter.cpp

http://commits.kde.org/kdepimlibs/d5bb7c20544170e06ecaaeb21c747c3b8905fc63