Bugtraq mailing list archives
Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
From: Mads Peter Bach <mpb () bugtraq logout sh>
Date: Wed, 06 Jun 2001 06:34:58 +0200
3APA3A wrote: [snip]
Background: Netscape Messanger uses internal protocol called mailbox://. The format of mailbox URI is mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber this URI contains full path to user's mailbox which usually contains user's login name and in case of Windows 9x - the path to Netscape installation. It's impossible to determine this location from javascript inside e-mail message, because Netscape hides document.location from javascript. Problem: It's possible to retrieve mailbox:// URI of the message. E.g., it's possible to retrieve mailbox location, user's system login and in some cases path to Netscape installation.
This vulnerability only affects the users local (on the client machine) mailbox. If a user keeps his mail on an IMAP server, the the referer will show up as an IMAP:// url. Workaround: Don't use POP3, and keep your mail on an IMAP server. /Mads
Current thread:
- SECURITY.NNOV: Netscape 4.7x Messanger user information retrival 3APA3A (Jun 05)
- Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Mads Peter Bach (Jun 05)
- Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Thomas Corriher (Jun 07)