Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Michael Puchol (mpuchol_at_sonar-security.com)
Date: Wed Jan 01 2003 - 05:19:49 CST
Potential disclosure of sensitive information in Netscape 7.0 email client.
Netscape 7.0 includes, as part of it's release, an email client, capable of
handling POP3 and IMAP accounts. The method that the email client utilizes
to permanently delete email messages is not explained, which could lead to
users having large quantities of email messages, which they would think of
as permanently deleted, still stored in clear text on their hard disks.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823
Netscape/7.0 (from the About Netscape window)
Netscape's email client stores received email messages in mailbox files,
which are basically sequentially written ASCII text files. A second file is
used to save the status of each individual message contained in the mailbox
file (read, unread, flagged, etc.).
When a user deletes an email message from, for example, his inbox folder
within the email client, it is sent to the 'Trash' folder. The user can then
right-click on this folder and select 'Empty trash' from the popup menu.
In most instances of Windows-based applications, this action would
permanently remove the contents of the trash folder, recycle bin, or
appropriate substitute. In Netscape's email client, it does not. The deleted
email messages are marked for removal in the status file which accompanies
the mailbox file. It is only when the user chooses to compact the folder
which contained the deleted email message (and not the trash folder!), that
the deleted messages are permanently removed.
Recovery of messages not permanently removed by compacting is trivial. A
simple file-parsing VBScript is all that is needed to extract all individual
messages from a mailbox file, and dump them as sepparate .eml files.
The help system  that accompanies Netscape's email client states the
following, under the section "Using Netscape Mail -> Deleting Messages":
// BEGIN QUOTE
"To delete messages from your Inbox or other folders, begin from the Mail
1.. In the message list, select the messages and click Delete. By default,
Mail & Newsgroups moves the selected messages to the Trash folder.
2.. To delete messages permanently, open the File menu and choose Empty
"To delete messages permanently:
a.. Open the File menu and choose Empty Trash."
// END QUOTE
It is misleading to state that to delete messages permanently, a user should
just simply "Empty Trash". To give Netscape a mitigating factor, in an
unrelated area of the help file (IMAP Server Settings), we find the
// BEGIN QUOTE
"When I delete a message: Choose the behavior you want for deleted messages.
"Move it to the Trash folder" is recommended unless you are instructed to
use a different setting by your system administrator or service provider.
Messages marked as deleted are removed only when you compact folders."
// END QUOTE
However, such setting is NOT available, and it is NOT mentioned in any form
for POP maiboxes. So, a user reading only about setting up options or using
a POP account, would be unaware of this behaviour. He will not know that
messages will only be permanently removed when the original folder is
compacted, after the trash folder is emptied. Even if he read the IMAP
section, he would have to make the connection between the two and realise
about the problem.
A setting in the email client configuration exists (Edit -> Preferences ->
Offline & Disk Space Preferences) that allows to automatically compact the
message folders when the disk space entered will be saved by said
compacting. The default value for this setting is 100kB. This feature is NOT
enabled by default in the tested Netscape installation.
Optionally, use the popup menu which appears on right-clicking a folder to
manually compact it, when sensitive messages have been deleted by sending
them to Trash.
Reproducing the problem:
A VBScript which will ask for an input Netscape mailbox file, and output
individual .eml messages into a subdirectory called name_of_mailbox_eml is
available for download at:
MD5 Sum: 202aebc3b3629303cd644f75f606dc15
You are encouraged to review with an appropriate editor the source code of
downloaded scripts before executing them.
Netscape was notified of the problem on the 24th of December, 2002, via
their online Security Bug Report Form, available at:
We haven't received a reply from Netscape, not even an automatic
confirmation email of the bug report.
 Netscape 7.0 email help file, Copyright © 1994-2002 Netscape