TUCoPS :: Browsers :: ns4vul.txt

Netscape Communicator stores your mail password even when you tell it not to!!!!

Date: Wed, 4 Nov 1998 18:29:55 +0100
From: Holger van Lengerich <gimli@uni-paderborn.de>
To: BUGTRAQ@netspace.org
Subject: Communicator 4.5 stores EVERY mail-password in preferences.js


The Netscape Communicator 4.5 stores the crypted version of used
mail-passwords (for imap and pop3) even if you tell Netscape to *not*
"remember password" in the preferences dialog.

IMHO this means, that anybody who can read your preferences.js ("prefs.js"
in the MS dominion) is problably able to read your mail or even get your

How to reproduce:
- start Communicator
- be sure "remember password" is disabled in the preferences dialog for the
  "Incoming Mail Server".
- get mails from Server (you get asked for your mail-password)
- exit Communicator
- edit preferences.js in $HOME/.netscape (MS-Users: prefs.js in your
    - search for something like:
       --- 8< ---
       user_pref("mail.imap.server.mail.password", "cRYpTPaSswD=");
       user_pref("mail.imap.server.mail.remember_password", false);
       --- >8 ---
   - Now change "false" to "true".
   - Save the file
- Start Communicator
- get mails

... now you are not asked for any password but can read all your mail! :(

probably all Communicator-4.5-packages on ALL operating systems.

I was able to reproduce this behavior on:
- Sun Solaris
- Linux (glibc2)
- MS Windows NT.

Don't use Communicator 4.5 to fetch mails from your IMAP/POP server or be
very sure that no one can read your Netscape-preferences-file!!!

    Holger van Lengerich, "pine"-user :)

PS: The preferences.js is send to Netscape on Communicator-crash, isn't it?
 Holger van Lengerich - University of Paderborn - Dept. of Computer Science
  System-Administration - Warburger Str. 100 - D 33098 Paderborn - Germany
   mailto:gimli@uni-paderborn.de - http://www.uni-paderborn.de/admin/gimli

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH