Bugtraq mailing list archives

Netscape Communicator 4.x sensitive informations in configuration file

From: Marc Ruef <marc.ruef () computec ch>
Date: Fri, 28 Feb 2003 14:33:18 +0100

Hi!

It seems that I'm one of the last Netscape 4.x users. During my research
for using roaming profiles I've checked a file named prefs.js in my
netscape folder (C:\Program Files\Netscape\Users\mruef).

The following paste shows the IMAP mail part of this configuration file.
You can see that the line 17 shows the unencrypted password
("MyPassword4").

--- cut ---

user_pref("mail.imap.server.imap.computec.ch.admin_url", "");
user_pref("mail.imap.server.imap.computec.ch.capability", 4641);
user_pref("mail.imap.server.imap.computec.ch.check_new_mail", true);
user_pref("mail.imap.server.imap.computec.ch.check_time", 60);
user_pref("mail.imap.server.imap.computec.ch.cleanup_folders_on_exit",
false);
user_pref("mail.imap.server.imap.computec.ch.cleanup_inbox_on_exit",
false);
user_pref("mail.imap.server.imap.computec.ch.delete_model", 2);
user_pref("mail.imap.server.imap.computec.ch.dual_use_folders", true);
user_pref("mail.imap.server.imap.computec.ch.empty_trash_on_exit",
false);
user_pref("mail.imap.server.imap.computec.ch.empty_trash_threshhold",
0);
user_pref("mail.imap.server.imap.computec.ch.isSecure", true);
user_pref("mail.imap.server.imap.computec.ch.namespace.other_users",
"");
user_pref("mail.imap.server.imap.computec.ch.namespace.personal",
"\"INBOX.\"");
user_pref("mail.imap.server.imap.computec.ch.namespace.public",
"\"shared.\"");
user_pref("mail.imap.server.imap.computec.ch.offline_download", false);
user_pref("mail.imap.server.imap.computec.ch.override_namespaces",
true);
user_pref("mail.imap.server.imap.computec.ch.password", "MyPassword4");
user_pref("mail.imap.server.imap.computec.ch.remember_password", true);
user_pref("mail.imap.server.imap.computec.ch.server_sub_directory", "");
user_pref("mail.imap.server.imap.computec.ch.userName", "mruef");
user_pref("mail.imap.server.imap.computec.ch.using_subscription", true);

-- cut ---

This is also true for POP3 and perhaps for SMTP, NNTP and LDAP
passwords. The passwords are only stored if the remember password option
is set (e.g. line 18).

It may be possible to extract these passwords during a sneaking access
to the system (local or remote by a backdoor)[1, 2] or examine a backup.
This weakness should be keeped in mind.

I'm not sure if this vulnerability exists in other Netscape versions
(e.g. 6 or 7).

Bye, Marc

[1] http://www.idefense.com/advisory/11.19.02c.txt
[2] http://www.securityfocus.com/bid/6215

-- 
Computer, Technik und Security                  http://www.computec.ch/
Meine private Webseite                    http://www.computec.ch/mruef/

Current thread:

Netscape Communicator 4.x sensitive informations in configuration file Marc Ruef (Feb 28)
- Re: Netscape Communicator 4.x sensitive informations in configuration file Byron York (Feb 28)
- Re: Netscape Communicator 4.x sensitive informations in configuration file Nicolas RUFF (lists) (Feb 28)
- <Possible follow-ups>
- Re: Netscape Communicator 4.x sensitive informations in configuration file Paul Szabo (Feb 28)