Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
From: Mads Peter Bach <mpb () bugtraq logout sh>
Date: Wed, 06 Jun 2001 06:34:58 +0200

3APA3A wrote:

[snip]
 
Background:

Netscape  Messanger  uses  internal  protocol  called  mailbox://. The
format of mailbox URI is

mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber

this  URI  contains full path to user's mailbox which usually contains
user's  login  name  and  in case of Windows 9x - the path to Netscape
installation.   It's   impossible  to  determine  this  location  from
javascript    inside    e-mail   message,   because   Netscape   hides
document.location from javascript.

Problem:

It's  possible  to  retrieve mailbox:// URI of the message. E.g., it's
possible to retrieve mailbox location, user's system login and in some
cases path to Netscape installation.


This vulnerability only affects the users local (on the client machine) mailbox. If a user keeps his mail on an IMAP 
server, the the referer will show
up as an IMAP:// url.
Workaround: Don't use POP3, and keep your mail on an IMAP server.
 
/Mads


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]