=====================================================================

                           CERT-Renater

               Note d'Information No. 2014/VULN032
_____________________________________________________________________

DATE                : 30/01/2014

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Mozilla Thunderbird versions prior
                                          to 24.0.

======================================================================
http://www.kb.cert.org/vuls/id/863369
______________________________________________________________________


Vulnerability Note VU#863369

Mozilla Thunderbird does not adequately restrict HTML elements in email
message content

Original Release date: 27 janv. 2014 | Last revised: 28 janv. 2014


Overview

Mozilla Thunderbird does not adequately restrict HTML elements in email
content, which could allow an attacker to execute arbitrary script when
a specially-crafted email message is forwarded or replied to.


Description

Vulnerability Lab has reported a vulnerability in the way Mozilla
Thunderbird handles HTML elements in email content. Mozilla Thunderbird
blocks the creation of certain HTML elements, such as script, when
displaying email messages. Traditionally, a script element is created
through the use of a <script> HTML tag. HTML elements, including
script, can also be created through the use of an <object> tag that
specifies a Data URI scheme (RFC 2397). The Data URI can specify a
text/html mime type and encode the script in base64. In such cases,
Thunderbird will execute the script contained in the email message when
it is forwarded or replied to and the outgoing message is in HTML
format. Simply displaying the email message does not appear to cause
the script to execute.

See Mozilla Bug Bounty #5 - WireTap Remote Web Vulnerability for more
details.

Testing indicates that Thunderbird 17.0.{6,7,8} are vulnerable. Earlier
versions may also be vulnerable.


Impact

By creating a specially-crafted email message, an attacker can cause
arbitrary script to execute in Thunderbird when that message is
forwarded or replied to.


Solution

Apply an update

Limited testing has shown that Thunderbird versions 24.0 and later are
not affected by this vulnerability.

Compose email in plain text format

Disabling the setting to "Compose messages in HTML format" for each
email account will help protect against attacks. This will cause
outgoing messages to be constructed in plain text, which does not
contain HTML elements.


Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Mozilla	Affected	-	27 Jan 2014

If you are a vendor and your product is affected, let us know.


CVSS Metrics (Learn More)
Group 	Score 	Vector
Base 	5,0 	AV:N/AC:L/Au:N/C:N/I:P/A:N
Temporal 	3,9 	E:POC/RL:OF/RC:C
Environmental 	2,9 	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND


References

    http://www.vulnerability-lab.com/get_content.php?id=953
    https://developer.mozilla.org/en-US/docs/data_URIs
    http://tools.ietf.org/html/rfc2397

Credit

This vulnerability was reported by Vulnerability Laboratory, who in
turn credits Ateeq ur Rehman Khan.

This document was written by Art Manion and Will Dormann.


Other Information

    CVE IDs: CVE-2013-6674
    Date Public: 27 janv. 2014
    Date First Published: 27 janv. 2014
    Date Last Updated: 28 janv. 2014
    Document Revision: 25

Feedback

If you have feedback, comments, or additional information about this
vulnerability, please send us email.


=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================