[Bug 305169] New: XSS Injection in KAddressbook

[Mickaël]

https://bugs.kde.org/show_bug.cgi?id=305169

            Bug ID: 305169
          Severity: major
               URL: http://www.securem.eu/test.vcf
           Version: unspecified
          Priority: NOR
                CC: tokoe at kde.org
          Assignee: kdepim-bugs at kde.org
           Summary: XSS Injection in KAddressbook
    Classification: Unclassified
                OS: Linux
          Reporter: mprizee at laposte.net
          Hardware: Archlinux Packages
            Status: UNCONFIRMED
         Component: general
           Product: kaddressbook

There is a security hole in the 4.9 version of KAddressBook, more precisely a
XSS Injection is possible through a malicious vcard file, when imported.
Try to import the vcard http://www.securem.eu/test.vcf for example.

Additionally, the label for the TEL field is not displayed on my screen (maybe
a missing French translation ?). What about yours ?

Reproducible: Always

Steps to Reproduce:
1. Download the file http://www.securem.eu/test.vcf
2. Import it into KAddressBook
3. Show the corresponding profile "Mickaël Bergöm"
Actual Results:  
HTML code in plaintext fields is evaluated and displayed as it

Expected Results:  
The tags <h1> should be escaped and the "<" / ">" characters replaced by HTML
Entities...

Actually this hole will not compromise your computer as Javascript code seems
to be disabled / iframes too, for example.
But it still allows a malicious file displaying wrong things, or directing you
to another website (URL field with a link to a malware website : <a
href="booh.com">good.com</a>)

-- 
You are receiving this mail because:
You are the assignee for the bug.