Eudora Client and Path Disclosure Vulnerability

Eudora is a popular graphical e-mail client for Windows computers offered for free by Qualcomm. It has been reported to Bugtraq that Qualcomm's Eudora discloses system path information in email messages under certain conditions. If a message containing an attachment is replied to (the example given was a .VCF card) by an individual using Eudora containing the original message, a string is appended saying that the attachment was converted. This string lists the file, its full path on the client computer, revealing the directory structure of the client.

From the Bugtraq post:

"I sent an email to somebody who uses Eudora. I have a virtual card attached
to all my messages (VCF).

The person replied and as most mail program do, the original message (mine)
was included at the end, along with a nice little piece of information:


>Attachment Converted: "c:\program files\eudora\attach\Yves Lepage.vcf"


This information may (though this is unlikely) be used to assist further attacks against the client.


Privacy Statement
Copyright 2010, SecurityFocus