[8422] in bugtraq
Communicator 4.5 stores EVERY mail-password in preferences.js
daemon@ATHENA.MIT.EDU (Holger van Lengerich)
Thu Nov 5 12:26:54 1998
Date: Wed, 4 Nov 1998 18:29:55 +0100
Reply-To: Holger van Lengerich <gimli@uni-paderborn.de>
From: Holger van Lengerich <gimli@UNI-PADERBORN.DE>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19981028182202.13038.qmail@hotmail.com>
Hi!
The Netscape Communicator 4.5 stores the crypted version of used
mail-passwords (for imap and pop3) even if you tell Netscape to *not*
"remember password" in the preferences dialog.
Damage:
=======
IMHO this means, that anybody who can read your preferences.js ("prefs.js"
in the MS dominion) is problably able to read your mail or even get your
plaintext-password.
How to reproduce:
=================
- start Communicator
- be sure "remember password" is disabled in the preferences dialog for the
"Incoming Mail Server".
- get mails from Server (you get asked for your mail-password)
- exit Communicator
- edit preferences.js in $HOME/.netscape (MS-Users: prefs.js in your
NS-Profile-Path)
- search for something like:
--- 8< ---
user_pref("mail.imap.server.mail.password", "cRYpTPaSswD=");
user_pref("mail.imap.server.mail.remember_password", false);
--- >8 ---
- Now change "false" to "true".
- Save the file
- Start Communicator
- get mails
... now you are not asked for any password but can read all your mail! :(
Affected:
=========
probably all Communicator-4.5-packages on ALL operating systems.
I was able to reproduce this behavior on:
- Sun Solaris
- Linux (glibc2)
- MS Windows NT.
Workaround:
===========
Don't use Communicator 4.5 to fetch mails from your IMAP/POP server or be
very sure that no one can read your Netscape-preferences-file!!!
Regards,
Holger van Lengerich, "pine"-user :)
PS: The preferences.js is send to Netscape on Communicator-crash, isn't it?
----------------------------------------------------------------------------
Holger van Lengerich - University of Paderborn - Dept. of Computer Science
System-Administration - Warburger Str. 100 - D 33098 Paderborn - Germany
mailto:gimli@uni-paderborn.de - http://www.uni-paderborn.de/admin/gimli
