Bug 359425

Summary: CSS from HTML mail interfers with header layout
Product: [Applications] kmail2 Reporter: Dominik George <nik>
Component: UIAssignee: kdepim bugs <pim-bugs-null>
Status: RESOLVED DUPLICATE    
Severity: grave CC: anikethgireesh, bugs.kde.org, nik, sknauss
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Debian unstable   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: Example message
Broken KMail with legitimate mail
Legitimate mail breaking KMail UI

Description Dominik George 2016-02-15 10:25:17 UTC 
I just saw an HTML message that style html and body interfer with the
message headers (in that case, the message heraders got centered along
with the rest of the message).

On first glance, this is a cosmetic issue. On second thought, it is
imaginable that this can be abused to hide or inject information into
the headers, thus easing phishing or scamming or even tricking the user
into assuming a different sender, replying with confidential
information.

I am not certain that the latter will actually work; if you agree with
my thoughts, please take the relevant steps to make this a security bug.



Reproducible: Always

Steps to Reproduce:
The attached mail completely replaces the default header view in KMail.

Of course, most of this can be done by simply spoofing e-mail addresses as 
well, or even better. I still see a minor attack vector bcause it might be 
possible to bypass spam checks by sending mail from a valid address. The 
default list view of messages in KMail only displays the sender's full name, 
so injecting a name of a trusted sender together with a valid e-mail address 
may ease forging the message quite a bit, because I can use any old freemail 
provider for that and my change will go unnoticed (see attached example 
message). I can even use corporate mail infrastructure that normally does 
sender checks, because noone really tries to authenticate senders' full names.

So what do I get from that?

 1. The recipient sees my injected full name in the email list and does not 
find anything suspicious.

 2. The recipient opens the message, gets the correct headers along with the 
HTML mail warning.

 3. Here is a short instance where the recipient might catch the wrong sender 
address.

 4. If they don't and accept the HTML warning, the headers are replaced, and 
we're done.

As you can see, there actually *is* an easy way to catch this as a recipient. 
I cannot say how many users would actually notice, and one could even say it's 
their fault for not being cautious enough, but then again, we all know how 
humans work, so it shouldn't be so easy to manipulate the message view.
Comment 1 Dominik George 2016-02-15 10:26:03 UTC 
Created attachment 97225 [details]
Example message
Comment 2 Dominik George 2016-02-15 10:26:59 UTC 
Tracked in Debien: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=814762
Comment 3 Dominik George 2016-07-24 20:19:15 UTC 
Today, I found that the bug persists in KMail 5.2.3 (I cannot select that in the version field aboveā€¦) and it got worse.

Today, I stumbled over a legitimate HTML mail messing up the whole UI.

Find attached the mail that caused it and a screenshot/
Comment 4 Dominik George 2016-07-24 20:19:48 UTC 
Created attachment 100273 [details]
Broken KMail with legitimate mail
Comment 5 Dominik George 2016-07-24 20:20:14 UTC 
Created attachment 100274 [details]
Legitimate mail breaking KMail UI
Comment 6 Aniketh 2017-01-10 07:13:55 UTC 
Isn't this bug fixed ? Else I would like to work on it :)
Comment 7 Erik Quaeghebeur 2021-12-31 12:41:01 UTC 

*** This bug has been marked as a duplicate of bug 371656 ***