Camel: Mail header order in malformed message matters
Original reporter: Roy Paz
Area: Application
Message
Vulnerability disclosure for Gnome Evolution 3.38.3-1
Evolution is vulnerable to HTML Injection in the email headers which will cause it to ignore the legitimate email headers and instead process the duplicate headers in the email.
For example, the following EML code will be shown as if it was sent from good@example.com on Dec 1980 on Evolution whilst it will be shown as if it was sent from evil@example.com on Dec 2022 on other popular email clients such as Thunderbird, 365 and IOS's Email App as they'll ignore the HTML Injection in the header.
Vuln.eml in Base64 VG86IHRlc3RAZXhhbXBsZS5jb20KTUlNRS1WZXJzaW9uOiAxLjAKQ29udGVudC10eXBlOiB0ZXh0L2h0bWwKTWVzc2FnZS1JRDogPDNiYWQ4ZGQ0YWVkZWUwYjExMTdiQGV4YW1wbGUuY29tPgo8IS0t U3ViamVjdDogVGVzdC1IVE1MSQpEYXRlOiBXZWQsIDAxIERlYyAyMDIyIDAwOjAwOjAwIC0wODAwIChQU1QpCkZyb206IGV2aWxAZXhhbXBsZS5jb20KU3ViamVjdDogU2hvd24tLT4KU3ViamVjdDog T25seSBTaG93biBEdWUgVG8gSW1wcm9wZXIgSFRNTCBQcm9jZXNzaW5nCkRhdGU6IFdlZCwgMDEgRGVjIDE5ODAgMDA6MDA6MDAgLTA4MDAgKFBTVCkKRnJvbTogZ29vZEBleGFtcGxlLmNvbQo=