Date: Wed, 4 Nov 1998 18:29:55 +0100
From: Holger van Lengerich <gimli@uni-paderborn.de>
To: BUGTRAQ@netspace.org
Subject: Communicator 4.5 stores EVERY mail-password in preferences.js

Hi!

The Netscape Communicator 4.5 stores the crypted version of used
mail-passwords (for imap and pop3) even if you tell Netscape to *not*
"remember password" in the preferences dialog.

Damage:
=======
IMHO this means, that anybody who can read your preferences.js ("prefs.js"
in the MS dominion) is problably able to read your mail or even get your
plaintext-password.

How to reproduce:
=================
- start Communicator
- be sure "remember password" is disabled in the preferences dialog for the
  "Incoming Mail Server".
- get mails from Server (you get asked for your mail-password)
- exit Communicator
- edit preferences.js in $HOME/.netscape (MS-Users: prefs.js in your
  NS-Profile-Path)
    - search for something like:
       --- 8< ---
       user_pref("mail.imap.server.mail.password", "cRYpTPaSswD=");
       user_pref("mail.imap.server.mail.remember_password", false);
       --- >8 ---
   - Now change "false" to "true".
   - Save the file
- Start Communicator
- get mails

... now you are not asked for any password but can read all your mail! :(

Affected:
=========
probably all Communicator-4.5-packages on ALL operating systems.

I was able to reproduce this behavior on:
- Sun Solaris
- Linux (glibc2)
- MS Windows NT.

Workaround:
===========
Don't use Communicator 4.5 to fetch mails from your IMAP/POP server or be
very sure that no one can read your Netscape-preferences-file!!!

Regards,
    Holger van Lengerich, "pine"-user :)

PS: The preferences.js is send to Netscape on Communicator-crash, isn't it?
----------------------------------------------------------------------------
 Holger van Lengerich - University of Paderborn - Dept. of Computer Science
  System-Administration - Warburger Str. 100 - D 33098 Paderborn - Germany
   mailto:gimli@uni-paderborn.de - http://www.uni-paderborn.de/admin/gimli