Bugtraq mailing list archives
More Netscape Passwords Available.
From: robert.e.jones () CWO COM AU (Rob Jones)
Date: Wed, 22 Dec 1999 14:58:52 +1100
Netscape 4.7 stores passwords in preferences.js even if you never ever even once tell it 'remember passwords', and even if its a fresh install of 4.7 (the solaris install I tested on has never seen any other version of Netscape). I thought I was loosing it with people pointing out that this didnt work when I thought it did but I've done my howework thistime and this bug does definitely affect Solaris 2.5 Netscape 4.7 Redhat Linux 6.0 Netscape 4.7 However it only stores them in the file from the time you log onto your mail server to the time you quite and close all netscape windows. Obviously this isnt as bad as it could be but it does mean there is a window of opportunity for a hacker to grab your password from this file. Like sending you a mail, saying check out this attachment. You will have had to type in your password (its then in the file), and the application you run can grab your password .... The rest is obvious. Rob P.S. This was tested with an IMAP rather than POP server, but I doubt if its any different. P.P.S. No I've not contacted Netscape yet. If anyone thinks they would change this then please email them. I've havent got time because I leave this job (peranantly, not just for christmas) on Friday and I have too much to do before then to find the right person to contact.
Current thread:
- Re: Groupewise Web Interface, (continued)
- Re: Groupewise Web Interface satherrl () MAILPOINT DSSRG CURTIN EDU AU (Dec 21)
- Norton Email Protection Remote Overflow (Addendum) Matt Conover (Dec 20)
- procmail / Sendmail - five bugs Michal Zalewski (Dec 23)
- Re: procmail / Sendmail - five bugs Rob Jones (Dec 20)
- Re: procmail / Sendmail - five bugs Michal Zalewski (Dec 22)
- FTPPro insecuities The Wall (Dec 27)
- serious Lotus Domino HTTP denial of service Alain Thivillon (Dec 21)
- More details on the WU-FTPD configuration vulnerability. suid (Dec 21)
- Microsoft Security Bulletin (MS99-058) Aleph One (Dec 21)
- Microsoft Security Bulletin (MS99-061) Aleph One (Dec 21)
- More Netscape Passwords Available. Rob Jones (Dec 21)
- UnixWare i2odialogd remote root exploit Brock Tellier (Dec 21)
- IE 5.01 vulnerabilities in external.NavigateAndFind() Georgi Guninski (Dec 22)
- Solaris 2.7 dmispd local/remote problems Brock Tellier (Dec 22)
- Multiple vulnerabilites in glFtpD (current versions) suid (Dec 22)
- Re: Multiple vulnerabilites in glFtpD (current versions) Per Lejontand (Dec 23)
- Re: Multiple vulnerabilites in glFtpD (current versions) The Tree of Life (Dec 23)
- Re-release of Microsoft Security Bulletin MS99-046 Microsoft Product Security (Dec 23)
- BUG? Non-root user can configure traffic shaper (2.2.13) (fwd) Yuri Kuzmenko (Dec 24)
- RealMedia Server 5.0 Crasher (rmscrash.c) bow (Dec 22)
- Re: procmail / Sendmail - five bugs Casper Dik (Dec 23)