Bugtraq mailing list archives

Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival

From: Thomas Corriher <tcorriher () earthlink net>
Date: Wed, 6 Jun 2001 12:36:39 -0400 (EDT)

On Tue, 5 Jun 2001, 3APA3A wrote:

Author                  : 3APA3A <3APA3A () security nnov ru>
Affected software       : Netscape 4.7x All Platforms
Vendor URL              : http://www.netscape.com
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories

Background:

Netscape  Messanger  uses  internal  protocol  called  mailbox://. The
format of mailbox URI is

mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber

Problem:

It's  possible  to  retrieve mailbox:// URI of the message. E.g., it's
possible to retrieve mailbox location, user's system login and in some
cases path to Netscape installation.


This does not seem like a real issue to me, and it certainly
does not qualify as an exploit.  This information would seem
useful only if we believed that security through obscurity had
merit.  Compound this with the fact that most people are not even
trying to hide their user account names, and that Netscape mail
locations are typically standardized in default directories
anyway.  This information appears to be useless for anyone trying
to compromise security.

It is interesting, and I would like to commend the poster for
his cleverness nevertheless.


-- 
  Thomas Corriher

Current thread:

SECURITY.NNOV: Netscape 4.7x Messanger user information retrival 3APA3A (Jun 05)
- Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Mads Peter Bach (Jun 05)
- Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Thomas Corriher (Jun 07)
  - Re[2]: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival 3APA3A (Jun 08)