Re[2]: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival

[3APA3A <3APA3A () SECURITY NNOV RU>]

Hello Thomas,


--Wednesday, June 06, 2001, 8:36:39 PM, you wrote to bugtraq () securityfocus com:

TC> On Tue, 5 Jun 2001, 3APA3A wrote:

Risk : Low


TC> This does not seem like a real issue to me, and it certainly
TC> does not qualify as an exploit.  This information would seem

Yes,  as  I wrote in advisory I really threat this problem as security
related  only  in  conjunction  with  others.  Example  is  quote from
Netscape security notes:
http://home.netscape.com/security/notes/index.html

"JavaScript  Cookie  Exploit  -  An  exploit was reported for Netscape
Communicator  4.72  and  earlier  in which a hostile site can read the
links  in  a user's bookmark file and some attributes of HTML files if
the  user's  profile  name and the Communicator installation directory
path are known to the hostile site".

Now,  you  can know user's profile name and installation directory and
can  launch  attack  automatically by e-mail. E-mail message can "call
back"  "hostile  site"  with  information  on  user's profile. I don't
believe this is the only exploit of this kind.

If you still think it's not security issue - well, you're right :)

TC> useful only if we believed that security through obscurity had
TC> merit.  Compound this with the fact that most people are not even
TC> trying to hide their user account names, and that Netscape mail
TC> locations are typically standardized in default directories
TC> anyway.  This information appears to be useless for anyone trying
TC> to compromise security.


And I _completely_ disagree with your opinion on login. You're talking
about corporate security while I care about individual privacy.

Sure,    if    you    use    name    Thomas   Corriher   with   e-mail
tcorriher () earthlink net  while reading your IMAP folder with PINE from
your  personal  notebook  your login name and location of your host is
really  not  important.  But  if  you use name "3APA3A" and you have a
couple  more  names  of  this  kind  and  you read your mailboxes from
corporate office and you wanna stay little bit anonymous in same time,
things are slightly different. In my case I don't care and you can get
my login name by another way, for example via netstat (I didn't filter
it). But in different situation I will be really upset if someone will
know  my Unix or NT login + my IP just because i read his e-mail :) In
this  case  I  _definitely_  wanna  replace  my  e-mail  software with
something  that  doesn't allow JavaScript at all :) (In fact I use The
Bat! which does not).

TC> It is interesting, and I would like to commend the poster for
TC> his cleverness nevertheless.

Wow.  Thanx :) I found this "feature" of Netscape is very convenient -
it  allows  me  to  spy  how often my web site is mentioned in private
correspondence :))

-- 
~/3APA3A
Но ведь кому угодно могут прийти в голову яйца, пятки и епископы. (Лем)