Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Ximian Evolution < 1.2.3 MIME image/* Content-Type Data Injection

Medium

Synopsis

The remote host may be tricked into running an executable file

Description

The remote host is running a version of the Ximian Evolution email client that does not properly validate MIME image/* Content-Type fields. If an email message contains an image/* Content-Type, any type of data can be embedded where the image information is expected. This can be used to embed HTML tags that will be rendered by GTKHtml, bypass policies, or invoke bonobo components to handle external content types.

Solution

Upgrade to Evolution 1.2.3 or higher.