Bugtraq mailing list archives
Re: Netscape Communicator 4.x sensitive informations in configuration file
From: psz () maths usyd edu au (Paul Szabo)
Date: Sat, 1 Mar 2003 10:03:17 +1100 (EST)
Byron York <byron () benefitrecovery com> wrote:
... I've checked a file named prefs.js ... the IMAP mail part ... shows the unencrypted password ... user_pref("mail.imap.server.imap.computec.ch.password", "MyPassword4"); user_pref("mail.imap.server.imap.computec.ch.remember_password", true); This is also true for POP3 and perhaps for SMTP, NNTP and LDAP passwords. The passwords are only stored if the remember password option is set (e.g. line 18). It may be possible to extract these passwords during a sneaking access to the system (local or remote by a backdoor)[1, 2] or examine a backup. This weakness should be keeped in mind. I'm not sure if this vulnerability exists in other Netscape versions (e.g. 6 or 7). [1] http://www.idefense.com/advisory/11.19.02c.txt [2] http://www.securityfocus.com/bid/6215We use Netscape 4.74 with roaming profiles using POP3, and my prefs.js file keeps the password hidden: user_pref("mail.pop_name", "byron"); user_pref("mail.pop_password", "encryptedstuff"); user_pref("mail.remember_password", true); I am not sure if the encryption is turned on someplace, but I suspect it is on by default, for it is definitely there for all of our POP clients using 4.74.
That is not encryption, but reversible obfuscation. Look in the Netscape source code for how to decode that: Netscape is able to do it and send the clear-text password to the POP server. Do not allow Netscape (or other utilities, e.g. Eudora) to remember your passwords. Cheers, Paul Szabo - psz () maths usyd edu au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
Current thread:
- Netscape Communicator 4.x sensitive informations in configuration file Marc Ruef (Feb 28)
- Re: Netscape Communicator 4.x sensitive informations in configuration file Byron York (Feb 28)
- Re: Netscape Communicator 4.x sensitive informations in configuration file Nicolas RUFF (lists) (Feb 28)
- <Possible follow-ups>
- Re: Netscape Communicator 4.x sensitive informations in configuration file Paul Szabo (Feb 28)