Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival

[Mads Peter Bach <mpb () bugtraq logout sh>]

3APA3A wrote:

[snip]
 
> Background:
>
> Netscape  Messanger  uses  internal  protocol  called  mailbox://. The
> format of mailbox URI is
>
> mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber
>
> this  URI  contains full path to user's mailbox which usually contains
> user's  login  name  and  in case of Windows 9x - the path to Netscape
> installation.   It's   impossible  to  determine  this  location  from
> javascript    inside    e-mail   message,   because   Netscape   hides
> document.location from javascript.
>
> Problem:
>
> It's  possible  to  retrieve mailbox:// URI of the message. E.g., it's
> possible to retrieve mailbox location, user's system login and in some
> cases path to Netscape installation.

This vulnerability only affects the users local (on the client machine) mailbox. If a user keeps his mail on an IMAP 
server, the the referer will show
up as an IMAP:// url.
Workaround: Don't use POP3, and keep your mail on an IMAP server.
 
/Mads