mailing list archives
From: claudio () LINK IT (Claudio Telmon)
Date: Tue, 13 Jul 1999 22:56:37 +0200
Peter W wrote:
As Netscape has not acknowledged my email or bug report from last week,
and one form of this vulnerability is currently being used, I have decided
it best to publicize this problem.
I can add something on this topic. Gioacchino La Vecchia (gio () link it)
and me found the same problem and a couple of
others (which I'll describe later in this posting) in January. We were
some testing and in February decided to send a bug report to Netscape.
We got an answer at the end of February after some mail exchange.
Netscape told us that they couldn't include a fix in Communicator 4.51,
which was "after final build", and asked for 8-10 weeks before we make
the bugs public. We also got a "Bugs Bounty Recognition Package" ;),
that is 1000$ and a T-shirt (500$ pro capite).
After that, Communicator 4.51, 4.6 and 4.61 where released.
Since we are working a lot, time passed and we almost forgot the
The bottom line is that if I'll find some other bug, Netscape will know
about it with the bugtraq moderator ;)
messages, so we noticed this bug in mail messages. A message sent to a
public mailing list or a spam message can leave a "mark" in your cookies
database that can be read by any other message (or web page?).
If I remember correctly, we tested this also on Explorer and it worked.
but the bug is not fixed. As you noticed, "same origin" is
Another partially fixed bug is that with
you can access the first message of the mailbox.
With the original bug, you could access document.links and get the
addresses of sender, recipient etc. Now you can still get
document.title, which is the subject of the message. If you try other
values instead of 2, you can get the offset of the beginning of another
message in the mailbox and work on it, or else Communicator will crash.
The original report can be found at
[LoWNOISE] Lotus Domino ET LoWNOISE (Jul 10)