COMMAND

    netscape

SYSTEMS AFFECTED

    Netscape Communicator 4.5 (all systems)

PROBLEM

    Holger van Lengerich found  following.  The Netscape  Communicator
    4.5 stores the  crypted version of  used mail-passwords (for  imap
    and pop3) even if you  tell Netscape to *not* "remember  password"
    in the preferences dialog.  This means, that anybody who can  read
    your preferences.js ("prefs.js" in  the MS dominion) is  problably
    able to read your mail or even get your plaintext-password.

    How to reproduce:

        - start Communicator
        - be sure "remember  password" is disabled in  the preferences
          dialog for the "Incoming Mail Server".
        - get mails from Server (you get asked for your mail-password)
        - exit Communicator
        - edit preferences.js  in $HOME/.netscape (MS-Users:  prefs.js
          in your NS-Profile-Path)
            - search for something like:
               ------
               user_pref("mail.imap.server.mail.password", "cRYpTPaSswD=");
               user_pref("mail.imap.server.mail.remember_password", false);
               ------
            - Now change "false" to "true".
            - Save the file
        - Start Communicator
        - get mails

    ... now you are not asked  for any password but can read  all your
    mail!  This was tested on SunOS, Linux (glibc2) and MS WinNT.

    Note that  only IMAP-Passwords  are stored  in the  preferences.js
    after  the  Communicator  process  is  correctly  terminated.  POP
    passwords  are  stored  in  preferences.js,  at the first time you
    fetch mail from the server and cleared at Communicator exit.  This
    happened  using  C4.5  on  Sun  Solaris.   Even this is a security
    problem:

        - Using an multiuser-OS like Unix: an evil user may access the
          preferences file, while you are working with Communicator.
        - Files may be accessible via network shares.
        - In a  crash situation the  password may not  be cleared from
          the preferences.js
        - In this case the "Quality Feedback Agent" (QFA) may, if  you
          allow him to do so, transfer the preferences.js (w.  crypted
          password) via Internet, (readable at any host on the way  to
          Netscape Corp.)

    Be aware that the encryption of the password gives *NO*  security.
    You  don't   need  to   know  the   decryption-algorithm,  because
    Communicator itself  can do  the decryption  for you.   By using a
    packet  sniffer   (like  HD-MOORE)   or  setting   up  a   patched
    IMAP-/POP-Server with a password logging facility, you can  easily
    get the plaintext-passwords.

SOLUTION

    Don't  use  Communicator  4.5  to  fetch  mails from your IMAP/POP
    server   or   be   very   sure   that   no   one   can  read  your
    Netscape-preferences-file!!!