Bugtraq mailing list archives

Netscape passes mailbox path and message ID as refferer

From: rop () ITSX COM (Rop Gonggrijp)
Date: Sat, 28 Mar 1998 14:28:17 +0100


This may be old stuff, but it surprised me. I was just made aware that when
someone clicks on a URL in an incoming message while reading mail in
Netscape's reader, at least some versions of Netscape pass Refferer URLs in
the following format to the server serving that URL:

mailbox:/pbhrzs0/u5_s0/user_e/e99406/nsmail/Inbox?id=199802152301.AAA10398 () xs2 xs4all nl&number=2159429
mailbox:/Power%20HD/System%20Folder/Preferences/Netscape%20Users/Brian/Mail/Jean%20Michel%20Jarre?id=19970825211854.31559
 () grendel IAEhv nl&number=2
mailbox:/Harddisk/System%20Folder/Preferences/Netscape%20%C4/Mail/Jarre?id=199803172236.XAA18444 () xs2 xs4all 
nl&number=307371
mailbox:/Z|/perso/Mail/Inbox?id=199803172236.XAA18444 () xs2 xs4all nl&number=203034
mailbox:/home/fklee/nsmail/Inbox?id=199803172236.XAA18444 () xs2 xs4all nl&number=361


Note that in some configurations the user name shows up in the mailbox path,
along with information that might be usable for outside intrusions (such as
Windows share names), and that the message-ID of the E-mail message shows.

Maybe less surprising: It also passes file: URLs including the complete
path if you click in a file that's on disk. This also seems to include, at
least in some cases, the location of the bookmark file, including path.

file:///c%7C/Program%20Files/Netscape/Users/jurjen_vdbroeck/bookmark.htm



This makes me even more happy to be running Junkbuster.

--
Rop Gonggrijp <rop () itsx com>

Current thread:

Re: apache+ssl 1.13 symlink problem Ben Laurie (Mar 24)
- Re: apache+ssl 1.13 symlink problem; NcFTP 2.4.2+ Mike Gleason (Mar 24)
- Clarification Mike Gleason (Mar 24)
- Protocol Aleph One (Mar 24)
- SECURITY: new svgalib and kbd now available Erik Troan (Mar 25)
- Sumbit Internet Account v1.1 Dax Kelson (Mar 25)
  - Majordomo /tmp exploit Karl G - NOC Admin (Mar 26)
    - FW: mysql: Trivial mSQL/MySQL DoS method? (fwd) Michael Widenius (Mar 26)
    - Re: Majordomo /tmp exploit Steven Pritchard (Mar 26)
    - easy DoS in most RPC apps Peter van Dijk (Mar 28)
    - Netscape passes mailbox path and message ID as refferer Rop Gonggrijp (Mar 28)
    - Hole. HKirk (Mar 28)
    - Rhino9: WinGate Vulnerability Aleph One (Mar 29)
    - MySQL Security Sandu Mihai (Mar 29)
    - Re: MySQL Security Aleph One (Mar 29)
    - Eudora Pro 4.0 attachment/long filename problem whiz (Mar 29)
    - mysql: MySQL Security Michael Widenius (Mar 29)
    - wtmpx utility for solaris Ryan (Mar 30)
    - Re: wtmpx utility for solaris Mikael Brandstrom (Mar 31)
    - HPSBUX9803-077 Security Vulnerability with inetd on HP-UX Aleph One (Mar 30)
  - pset Buffer Overrun Vulnerability SGI Security Coordinator (Mar 26)

(Thread continues...)