[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4404D543.1030402@sysdream.com>
Date: Tue, 28 Feb 2006 23:57:07 +0100
From: Renaud Lifchitz <r.lifchitz@...dream.com>
To: Daniel Veditz <dveditz@...zio.com>
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
security@...illa.org
Subject: Re: Mozilla Thunderbird : Multiple Information
Disclosure Vulnerabilities
Hello,
If you carefully look at the inline attachments, you will find this
(first proof of concept) :
<html><head></head><body style="margin: 0px; padding: 0px; border:
0px;"><iframe src="http://www.sysdream.com" width="100%" height="100%"
frameborder="0" marginheight="0" marginwidth="0"></iframe>
The information disclosure doesn't come from the first iframe, but from
the second one. Indeed, the inline attachment "basic.html" itself
contains a iframe, which is not correctly filtered and makes Thunderbird
fetch any external resource.
Best regards,
Renaud Lifchitz
http://www.sysdream.com
Daniel Veditz wrote:
>Renaud Lifchitz wrote:
>
>
>>Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
>>
>>
>
>We believe this to be a testing error. The problem of loading remote
>iframe and css content was fixed prior to the release of Mozilla
>Thunderbird 1.0
>
>The testcase included in the advisory contains the iframe and css
>content in-line with the message. That will always be shown as there is
>no privacy issue with doing so and does not demonstrate the remote
>loading issue claimed.
>
>Once a user has pressed the "Show Images" button--not the best label
>since it covers all remote content--that state is stored in the mailbox
>metadata/index file (.msf) and the remote content will then be loaded on
>future viewings. If the .msf file is not deleted between tests this
>could give the appearance of the bug described in the advisory.
>
>There is a minor residual privacy issue if people whose mail you keep
>and reread are setting webbugs on you (your boss could find out how many
>times you read his memo?), but in most cases your privacy is fully blown
>once you load the remote content the first time.
>
>
>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists