[Security] Privilege escalation via malicious RTF attachments
13 views
Skip to first unread message
Gareth Rees
Apr 7, 2026, 6:22:38 AM (8 days ago) Apr 7
to alavet...@googlegroups.com
We’ve discovered and patched an issue where user accounts can potentially be compromised and given admin roles via malicious RTF attachments.
We’ve released fixes for most known operational Alavetelis.
Summary and Impact:
===================
The "View as HTML" feature for RTF email attachments renders the output of unrtf --html directly to the browser via html_safe with no HTML sanitization. An attacker can craft an RTF file with a malicious font name in the font table that injects arbitrary HTML/JavaScript when the <font face="..."> tag is generated. The script executes automatically on page load – no user interaction beyond clicking "View as HTML" is needed.
This is significant as an attacker can craft the attack in such a way as to gain admin privileges by stealing an existing admin’s CSRF token.
While request email addresses are not generally public and older requests get response permissions restricted to prevent incoming responses, request email addresses frequently get leaked in a variety of ways to be concerning enough that there is a possibility that they could be exploited in this way. It may also be possible for an attacker to send a request that ends up in the holding pen and achieve the same effect.
The attacker can report the malicious response via the "Report" button to maximise the chances that an admin views it.
Fix:
====
The fix is to lib/attachment_to_html/adapters/rtf.rb. The updated code sanitises the html produced by unrtf before further processing.
We’ve released fixes for most known operational Alavetelis. These are listed below.
I also attach a diff that you can apply to your Alaveteli if you are unable to upgrade immediately.
Affected versions:
==================
The code that introduced RTF to HTML was back in 2011 (https://github.com/mysociety/alaveteli/commit/8405aeefaf1b4f72e1bc781995547d775e8991d7), so it is very likely that all versions since 0.5 are affected.
Fixed versions:
===============
We have published a hotfix release for the current version and most known operational Alavetelis:
https://github.com/mysociety/alaveteli/releases/tag/0.46.4.0
https://github.com/mysociety/alaveteli/releases/tag/0.45.6.0
https://github.com/mysociety/alaveteli/releases/tag/0.44.1.0
https://github.com/mysociety/alaveteli/releases/tag/0.43.3.0
https://github.com/mysociety/alaveteli/releases/tag/0.42.1.0
https://github.com/mysociety/alaveteli/releases/tag/0.41.2.0
https://github.com/mysociety/alaveteli/releases/tag/0.40.2.0
https://github.com/mysociety/alaveteli/releases/tag/0.39.2.0
https://github.com/mysociety/alaveteli/releases/tag/0.38.5.0
Releases prior to these do not have loofah available for sanitisation. Please contact us if you need assistance in creating an alternative patch. We strongly recommend upgrading to more recent versions of Alaveteli.
We’ve released fixes for most known operational Alavetelis.
Summary and Impact:
===================
The "View as HTML" feature for RTF email attachments renders the output of unrtf --html directly to the browser via html_safe with no HTML sanitization. An attacker can craft an RTF file with a malicious font name in the font table that injects arbitrary HTML/JavaScript when the <font face="..."> tag is generated. The script executes automatically on page load – no user interaction beyond clicking "View as HTML" is needed.
This is significant as an attacker can craft the attack in such a way as to gain admin privileges by stealing an existing admin’s CSRF token.
While request email addresses are not generally public and older requests get response permissions restricted to prevent incoming responses, request email addresses frequently get leaked in a variety of ways to be concerning enough that there is a possibility that they could be exploited in this way. It may also be possible for an attacker to send a request that ends up in the holding pen and achieve the same effect.
The attacker can report the malicious response via the "Report" button to maximise the chances that an admin views it.
Fix:
====
The fix is to lib/attachment_to_html/adapters/rtf.rb. The updated code sanitises the html produced by unrtf before further processing.
We’ve released fixes for most known operational Alavetelis. These are listed below.
I also attach a diff that you can apply to your Alaveteli if you are unable to upgrade immediately.
Affected versions:
==================
The code that introduced RTF to HTML was back in 2011 (https://github.com/mysociety/alaveteli/commit/8405aeefaf1b4f72e1bc781995547d775e8991d7), so it is very likely that all versions since 0.5 are affected.
Fixed versions:
===============
We have published a hotfix release for the current version and most known operational Alavetelis:
https://github.com/mysociety/alaveteli/releases/tag/0.46.4.0
https://github.com/mysociety/alaveteli/releases/tag/0.45.6.0
https://github.com/mysociety/alaveteli/releases/tag/0.44.1.0
https://github.com/mysociety/alaveteli/releases/tag/0.43.3.0
https://github.com/mysociety/alaveteli/releases/tag/0.42.1.0
https://github.com/mysociety/alaveteli/releases/tag/0.41.2.0
https://github.com/mysociety/alaveteli/releases/tag/0.40.2.0
https://github.com/mysociety/alaveteli/releases/tag/0.39.2.0
https://github.com/mysociety/alaveteli/releases/tag/0.38.5.0
Releases prior to these do not have loofah available for sanitisation. Please contact us if you need assistance in creating an alternative patch. We strongly recommend upgrading to more recent versions of Alaveteli.
Gareth Rees
Reply all
Reply to author
Forward
0 new messages