Bug 305169

Summary: XSS Injection in KAddressbook
Product: [Applications] kaddressbook Reporter: Mickaël <mprizee>
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED FIXED    
Severity: major CC: montel, tokoe
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
URL: http://www.securem.eu/test.vcf
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Mickaël 2012-08-14 22:58:13 UTC
There is a security hole in the 4.9 version of KAddressBook, more precisely a XSS Injection is possible through a malicious vcard file, when imported.
Try to import the vcard http://www.securem.eu/test.vcf for example.

Additionally, the label for the TEL field is not displayed on my screen (maybe a missing French translation ?). What about yours ?

Reproducible: Always

Steps to Reproduce:
1. Download the file http://www.securem.eu/test.vcf
2. Import it into KAddressBook
3. Show the corresponding profile "Mickaël Bergöm"
Actual Results:  
HTML code in plaintext fields is evaluated and displayed as it

Expected Results:  
The tags <h1> should be escaped and the "<" / ">" characters replaced by HTML Entities...

Actually this hole will not compromise your computer as Javascript code seems to be disabled / iframes too, for example.
But it still allows a malicious file displaying wrong things, or directing you to another website (URL field with a link to a malware website : <a href="booh.com">good.com</a>)
Comment 1 Laurent Montel 2012-08-15 10:05:46 UTC
Which application did you use to create this vcard (to understand how you create TEL field ?)
Comment 2 Laurent Montel 2012-08-15 10:07:56 UTC
this application missed to add type of phone. So it's normal.
But perhaps we need to add default type.
But need to know which apps do it.
Comment 3 Laurent Montel 2012-08-15 10:09:40 UTC
in thunderbird TEL field is not imported because type is missing too
Comment 4 Mickaël 2012-08-15 13:34:10 UTC
Oops, my fault for the TEL field, it was a hand-made vcard and I only read the Wikipedia page, I didn't know that the TYPE item was mandatory (isn't it ?)

Thank you for solving this problem, however the security report is still open.
Comment 5 Laurent Montel 2012-08-15 14:22:46 UTC
Yes I saw problem with html
Will look at it.
Comment 6 Tobias Koenig 2012-10-13 09:58:20 UTC
Git commit d5bb7c20544170e06ecaaeb21c747c3b8905fc63 by Tobias Koenig.
Committed on 13/10/2012 at 11:56.
Pushed by tokoe into branch 'master'.

Fix XSS issue in the contact viewer

This was not really a security risk, since the used QTextBrowser has not way to access
the network automatically, but fixing it right now makes it future-proof.

M  +13   -12   akonadi/contact/standardcontactformatter.cpp

http://commits.kde.org/kdepimlibs/d5bb7c20544170e06ecaaeb21c747c3b8905fc63