lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4404D543.1030402@sysdream.com>
Date: Tue Feb 28 22:56:45 2006
From: r.lifchitz at sysdream.com (Renaud Lifchitz)
Subject: Mozilla Thunderbird : Multiple Information
	Disclosure Vulnerabilities

Hello,

If you carefully look at the inline attachments, you will find this
(first proof of concept) :

<html><head></head><body style="margin: 0px; padding: 0px; border:
0px;"><iframe src="http://www.sysdream.com" width="100%" height="100%"
frameborder="0" marginheight="0" marginwidth="0"></iframe>

The information disclosure doesn't come from the first iframe, but from
the second one. Indeed, the inline attachment "basic.html" itself
contains a iframe, which is not correctly filtered and makes Thunderbird
fetch any external resource.


Best regards,

Renaud Lifchitz
http://www.sysdream.com




Daniel Veditz wrote:

>Renaud Lifchitz wrote:
>  
>
>>Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
>>    
>>
>
>We believe this to be a testing error. The problem of loading remote
>iframe and css content was fixed prior to the release of Mozilla
>Thunderbird 1.0
>
>The testcase included in the advisory contains the iframe and css
>content in-line with the message. That will always be shown as there is
>no privacy issue with doing so and does not demonstrate the remote
>loading issue claimed.
>
>Once a user has pressed the "Show Images" button--not the best label
>since it covers all remote content--that state is stored in the mailbox
>metadata/index file (.msf) and the remote content will then be loaded on
>future viewings. If the .msf file is not deleted between tests this
>could give the appearance of the bug described in the advisory.
>
>There is a minor residual privacy issue if people whose mail you keep
>and reread are setting webbugs on you (your boss could find out how many
>times you read his memo?), but in most cases your privacy is fully blown
>once you load the remote content the first time.
>
>
>  
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ