Bugtraq mailing list archives
Netscape passes mailbox path and message ID as refferer
From: rop () ITSX COM (Rop Gonggrijp)
Date: Sat, 28 Mar 1998 14:28:17 +0100
This may be old stuff, but it surprised me. I was just made aware that when someone clicks on a URL in an incoming message while reading mail in Netscape's reader, at least some versions of Netscape pass Refferer URLs in the following format to the server serving that URL:
mailbox:/pbhrzs0/u5_s0/user_e/e99406/nsmail/Inbox?id=199802152301.AAA10398 () xs2 xs4all nl&number=2159429 mailbox:/Power%20HD/System%20Folder/Preferences/Netscape%20Users/Brian/Mail/Jean%20Michel%20Jarre?id=19970825211854.31559 () grendel IAEhv nl&number=2 mailbox:/Harddisk/System%20Folder/Preferences/Netscape%20%C4/Mail/Jarre?id=199803172236.XAA18444 () xs2 xs4all nl&number=307371 mailbox:/Z|/perso/Mail/Inbox?id=199803172236.XAA18444 () xs2 xs4all nl&number=203034 mailbox:/home/fklee/nsmail/Inbox?id=199803172236.XAA18444 () xs2 xs4all nl&number=361
Note that in some configurations the user name shows up in the mailbox path, along with information that might be usable for outside intrusions (such as Windows share names), and that the message-ID of the E-mail message shows. Maybe less surprising: It also passes file: URLs including the complete path if you click in a file that's on disk. This also seems to include, at least in some cases, the location of the bookmark file, including path.
file:///c%7C/Program%20Files/Netscape/Users/jurjen_vdbroeck/bookmark.htm
This makes me even more happy to be running Junkbuster. -- Rop Gonggrijp <rop () itsx com>
Current thread:
- Re: apache+ssl 1.13 symlink problem Ben Laurie (Mar 24)
- Re: apache+ssl 1.13 symlink problem; NcFTP 2.4.2+ Mike Gleason (Mar 24)
- Clarification Mike Gleason (Mar 24)
- Protocol Aleph One (Mar 24)
- SECURITY: new svgalib and kbd now available Erik Troan (Mar 25)
- Sumbit Internet Account v1.1 Dax Kelson (Mar 25)
- Majordomo /tmp exploit Karl G - NOC Admin (Mar 26)
- FW: mysql: Trivial mSQL/MySQL DoS method? (fwd) Michael Widenius (Mar 26)
- Re: Majordomo /tmp exploit Steven Pritchard (Mar 26)
- easy DoS in most RPC apps Peter van Dijk (Mar 28)
- Netscape passes mailbox path and message ID as refferer Rop Gonggrijp (Mar 28)
- Hole. HKirk (Mar 28)
- Rhino9: WinGate Vulnerability Aleph One (Mar 29)
- MySQL Security Sandu Mihai (Mar 29)
- Re: MySQL Security Aleph One (Mar 29)
- Eudora Pro 4.0 attachment/long filename problem whiz (Mar 29)
- mysql: MySQL Security Michael Widenius (Mar 29)
- wtmpx utility for solaris Ryan (Mar 30)
- Re: wtmpx utility for solaris Mikael Brandstrom (Mar 31)
- Majordomo /tmp exploit Karl G - NOC Admin (Mar 26)
- HPSBUX9803-077 Security Vulnerability with inetd on HP-UX Aleph One (Mar 30)