[11039] in bugtraq
Re: Communicator 4.[56]x,
daemon@ATHENA.MIT.EDU (Claudio Telmon)
Fri Jul 16 15:30:26 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <378BA805.F7643071@link.it>
Date: Tue, 13 Jul 1999 22:56:37 +0200
Reply-To: Claudio Telmon <claudio@LINK.IT>
From: Claudio Telmon <claudio@LINK.IT>
X-To: Peter W <peterw@USA.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Peter W wrote:
>
> As Netscape has not acknowledged my email or bug report from last week,
> and one form of this vulnerability is currently being used, I have decided
> it best to publicize this problem.
>
I can add something on this topic. Gioacchino La Vecchia (gio@link.it)
and me found the same problem and a couple of
others (which I'll describe later in this posting) in January. We were
checking how Communicator handles javascript in mail messages. We made
some testing and in February decided to send a bug report to Netscape.
We got an answer at the end of February after some mail exchange.
Netscape told us that they couldn't include a fix in Communicator 4.51,
which was "after final build", and asked for 8-10 weeks before we make
the bugs public. We also got a "Bugs Bounty Recognition Package" ;),
that is 1000$ and a T-shirt (500$ pro capite).
After that, Communicator 4.51, 4.6 and 4.61 where released.
Since we are working a lot, time passed and we almost forgot the
problem.
The bottom line is that if I'll find some other bug, Netscape will know
about it with the bugtraq moderator ;)
Now to the bugs. As I said, we were working on javascript in mail
messages, so we noticed this bug in mail messages. A message sent to a
public mailing list or a spam message can leave a "mark" in your cookies
database that can be read by any other message (or web page?).
If I remember correctly, we tested this also on Explorer and it worked.
Now the default setting is that javascript in mail messages is disabled,
but the bug is not fixed. As you noticed, "same origin" is
not enforced.
Another partially fixed bug is that with
wysiwig://0/mailbox:/home/claudio/nsmail/Inbox?number=2
you can access the first message of the mailbox.
We used
window.open("wysiwig://0/mailbox:/home/claudio/nsmail/Inbox?number=2")
With the original bug, you could access document.links[] and get the
addresses of sender, recipient etc. Now you can still get
document.title, which is the subject of the message. If you try other
values instead of 2, you can get the offset of the beginning of another
message in the mailbox and work on it, or else Communicator will crash.
The original report can be found at
http://metalab.unc.edu/gio/papers/netscape/netscape.html
ciao
- Claudio
