[20887] in bugtraq
Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
daemon@ATHENA.MIT.EDU (Mads Peter Bach)
Wed Jun 6 01:59:56 2001
Message-ID: <3B1DB2DD.EC409A76@bugtraq.logout.sh>
Date: Wed, 06 Jun 2001 06:34:58 +0200
From: Mads Peter Bach <mpb@bugtraq.logout.sh>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
3APA3A wrote:
[snip]
> Background:
>
> Netscape Messanger uses internal protocol called mailbox://. The
> format of mailbox URI is
>
> mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber
>
> this URI contains full path to user's mailbox which usually contains
> user's login name and in case of Windows 9x - the path to Netscape
> installation. It's impossible to determine this location from
> javascript inside e-mail message, because Netscape hides
> document.location from javascript.
>
> Problem:
>
> It's possible to retrieve mailbox:// URI of the message. E.g., it's
> possible to retrieve mailbox location, user's system login and in some
> cases path to Netscape installation.
>
This vulnerability only affects the users local (on the client machine) mailbox. If a user keeps his mail on an IMAP server, the the referer will show
up as an IMAP:// url.
Workaround: Don't use POP3, and keep your mail on an IMAP server.
/Mads
