BugTraq
Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Feb 28 2006 06:59PM
Renaud Lifchitz (r lifchitz sysdream com) (2 replies)
Re: Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Feb 28 2006 11:57PM
Steve Shockley (steve shockley shockley net)
Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Feb 28 2006 10:17PM
Daniel Veditz (dveditz cruzio com) (4 replies)
Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Mar 01 2006 08:23PM
Nick Boyce (nick boyce gmail com) (1 replies)
Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities Feb 28 2006 10:57PM
Renaud Lifchitz (r lifchitz sysdream com)
Hello,

If you carefully look at the inline attachments, you will find this
(first proof of concept) :

<html><head></head><body style="margin: 0px; padding: 0px; border:
0px;"><iframe src="http://www.sysdream.com" width="100%" height="100%"
frameborder="0" marginheight="0" marginwidth="0"></iframe>

The information disclosure doesn't come from the first iframe, but from
the second one. Indeed, the inline attachment "basic.html" itself
contains a iframe, which is not correctly filtered and makes Thunderbird
fetch any external resource.

Best regards,

Renaud Lifchitz
http://www.sysdream.com

Daniel Veditz wrote:

>Renaud Lifchitz wrote:
>
>
>>Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
>>
>>
>
>We believe this to be a testing error. The problem of loading remote
>iframe and css content was fixed prior to the release of Mozilla
>Thunderbird 1.0
>
>The testcase included in the advisory contains the iframe and css
>content in-line with the message. That will always be shown as there is
>no privacy issue with doing so and does not demonstrate the remote
>loading issue claimed.
>
>Once a user has pressed the "Show Images" button--not the best label
>since it covers all remote content--that state is stored in the mailbox
>metadata/index file (.msf) and the remote content will then be loaded on
>future viewings. If the .msf file is not deleted between tests this
>could give the appearance of the bug described in the advisory.
>
>There is a minor residual privacy issue if people whose mail you keep
>and reread are setting webbugs on you (your boss could find out how many
>times you read his memo?), but in most cases your privacy is fully blown
>once you load the remote content the first time.
>
>
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus