Full Disclosure mailing list archives
Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
From: Renaud Lifchitz <r.lifchitz () sysdream com>
Date: Tue, 28 Feb 2006 23:57:07 +0100
Hello, If you carefully look at the inline attachments, you will find this (first proof of concept) : <html><head></head><body style="margin: 0px; padding: 0px; border: 0px;"><iframe src="http://www.sysdream.com"; width="100%" height="100%" frameborder="0" marginheight="0" marginwidth="0"></iframe> The information disclosure doesn't come from the first iframe, but from the second one. Indeed, the inline attachment "basic.html" itself contains a iframe, which is not correctly filtered and makes Thunderbird fetch any external resource. Best regards, Renaud Lifchitz http://www.sysdream.com Daniel Veditz wrote:
Renaud Lifchitz wrote:Mozilla Thunderbird : Multiple Information Disclosure VulnerabilitiesWe believe this to be a testing error. The problem of loading remote iframe and css content was fixed prior to the release of Mozilla Thunderbird 1.0 The testcase included in the advisory contains the iframe and css content in-line with the message. That will always be shown as there is no privacy issue with doing so and does not demonstrate the remote loading issue claimed. Once a user has pressed the "Show Images" button--not the best label since it covers all remote content--that state is stored in the mailbox metadata/index file (.msf) and the remote content will then be loaded on future viewings. If the .msf file is not deleted between tests this could give the appearance of the bug described in the advisory. There is a minor residual privacy issue if people whose mail you keep and reread are setting webbugs on you (your boss could find out how many times you read his memo?), but in most cases your privacy is fully blown once you load the remote content the first time.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Renaud Lifchitz (Feb 28)
- Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Daniel Veditz (Feb 28)
- Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Daniel Veditz (Feb 28)
- Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Renaud Lifchitz (Feb 28)
- Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Daniel Veditz (Feb 28)
- Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities nodialtone (Feb 28)
- Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Steve Shockley (Feb 28)
- Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Daniel Veditz (Feb 28)