Bugtraq mailing list archives
Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
From: Thomas Corriher <tcorriher () earthlink net>
Date: Wed, 6 Jun 2001 12:36:39 -0400 (EDT)
On Tue, 5 Jun 2001, 3APA3A wrote:
Author : 3APA3A <3APA3A () security nnov ru> Affected software : Netscape 4.7x All Platforms Vendor URL : http://www.netscape.com SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories Background: Netscape Messanger uses internal protocol called mailbox://. The format of mailbox URI is mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber Problem: It's possible to retrieve mailbox:// URI of the message. E.g., it's possible to retrieve mailbox location, user's system login and in some cases path to Netscape installation.
This does not seem like a real issue to me, and it certainly does not qualify as an exploit. This information would seem useful only if we believed that security through obscurity had merit. Compound this with the fact that most people are not even trying to hide their user account names, and that Netscape mail locations are typically standardized in default directories anyway. This information appears to be useless for anyone trying to compromise security. It is interesting, and I would like to commend the poster for his cleverness nevertheless. -- Thomas Corriher
Current thread:
- SECURITY.NNOV: Netscape 4.7x Messanger user information retrival 3APA3A (Jun 05)
- Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Mads Peter Bach (Jun 05)
- Re: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival Thomas Corriher (Jun 07)