BugTraq
Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Feb 28 2006 06:59PM
Renaud Lifchitz (r lifchitz sysdream com) (2 replies)
Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Feb 28 2006 11:57PM
Steve Shockley (steve shockley shockley net)
Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Feb 28 2006 10:17PM
Daniel Veditz (dveditz cruzio com) (4 replies)
Renaud Lifchitz wrote:
> Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities

We believe this to be a testing error. The problem of loading remote
iframe and css content was fixed prior to the release of Mozilla
Thunderbird 1.0

The testcase included in the advisory contains the iframe and css
content in-line with the message. That will always be shown as there is
no privacy issue with doing so and does not demonstrate the remote
loading issue claimed.

Once a user has pressed the "Show Images" button--not the best label
since it covers all remote content--that state is stored in the mailbox
metadata/index file (.msf) and the remote content will then be loaded on
future viewings. If the .msf file is not deleted between tests this
could give the appearance of the bug described in the advisory.

There is a minor residual privacy issue if people whose mail you keep
and reread are setting webbugs on you (your boss could find out how many
times you read his memo?), but in most cases your privacy is fully blown
once you load the remote content the first time.

[ reply ]
Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Mar 01 2006 08:23PM
Nick Boyce (nick boyce gmail com) (1 replies)
Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Feb 28 2006 10:57PM
Renaud Lifchitz (r lifchitz sysdream com)


 

Privacy Statement
Copyright 2010, SecurityFocus