Results 1 to 3 of 3

Thread: Netscape 7.0 flaw

  1. #1
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177

    Netscape 7.0 flaw

    i know some of you use this so i thought i should post this so you know about it



    Netscape E-mail Client Fails to Delete Messages When 'Empty Trash' is Selected

    SecurityTracker Alert ID: 1005871
    CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
    Date: Jan 2 2003

    Impact: Disclosure of user information

    Exploit Included: Yes

    Version(s): 7.0

    Description: A potential information disclosure vulnerability was reported in the Netscape 7.0 e-mail client. The software does not delete e-mail messages when the user selects 'Empty Trash'.

    It is reported that when a user deletes a message, the message is moved to the Trash folder. When the user selects 'Empty Trash', the message is not removed from the Trash file until that folder is compressed by the user.

    The vendor has reportedly been notified.

    Impact: A local user may be able to view a message that the target user thought had been deleted.

    Solution: No solution was available at the time of this entry.

    Vendor URL: www.netscape.com/ (Links to External Site)

    Cause: State error

    Underlying OS: Windows (Any)

    Reported By: "Michael Puchol" <mpuchol@sonar-security.com>

    Message History: None.



    --------------------------------------------------------------------------------

    Source Message Contents

    --------------------------------------------------------------------------------

    Date: Wed, 1 Jan 2003 12:19:49 +0100
    From: "Michael Puchol" <mpuchol@sonar-security.com>
    Subject: Potential disclosure of sensitive information in Netscape 7.0 email client





    Potential disclosure of sensitive information in Netscape 7.0 email client.

    Overview:
    =================

    Netscape 7.0 includes, as part of it's release, an email client, capable of
    handling POP3 and IMAP accounts. The method that the email client utilizes
    to permanently delete email messages is not explained, which could lead to
    users having large quantities of email messages, which they would think of
    as permanently deleted, still stored in clear text on their hard disks.

    Tested product:
    =================

    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823
    Netscape/7.0 (from the About Netscape window)

    Description:
    =================

    Netscape's email client stores received email messages in mailbox files,
    which are basically sequentially written ASCII text files. A second file is
    used to save the status of each individual message contained in the mailbox
    file (read, unread, flagged, etc.).

    When a user deletes an email message from, for example, his inbox folder
    within the email client, it is sent to the 'Trash' folder. The user can then
    right-click on this folder and select 'Empty trash' from the popup menu.

    In most instances of Windows-based applications, this action would
    permanently remove the contents of the trash folder, recycle bin, or
    appropriate substitute. In Netscape's email client, it does not. The deleted
    email messages are marked for removal in the status file which accompanies
    the mailbox file. It is only when the user chooses to compact the folder
    which contained the deleted email message (and not the trash folder!), that
    the deleted messages are permanently removed.

    Recovery of messages not permanently removed by compacting is trivial. A
    simple file-parsing VBScript is all that is needed to extract all individual
    messages from a mailbox file, and dump them as sepparate .eml files.

    The help system [1] that accompanies Netscape's email client states the
    following, under the section "Using Netscape Mail -> Deleting Messages":

    // BEGIN QUOTE

    "To delete messages from your Inbox or other folders, begin from the Mail
    window:

    1.. In the message list, select the messages and click Delete. By default,
    Mail & Newsgroups moves the selected messages to the Trash folder.
    2.. To delete messages permanently, open the File menu and choose Empty
    Trash."

    <........>

    "To delete messages permanently:

    a.. Open the File menu and choose Empty Trash."

    // END QUOTE

    It is misleading to state that to delete messages permanently, a user should
    just simply "Empty Trash". To give Netscape a mitigating factor, in an
    unrelated area of the help file (IMAP Server Settings), we find the
    following statement:

    // BEGIN QUOTE

    "When I delete a message: Choose the behavior you want for deleted messages.
    "Move it to the Trash folder" is recommended unless you are instructed to
    use a different setting by your system administrator or service provider.
    Messages marked as deleted are removed only when you compact folders."

    // END QUOTE

    However, such setting is NOT available, and it is NOT mentioned in any form
    for POP maiboxes. So, a user reading only about setting up options or using
    a POP account, would be unaware of this behaviour. He will not know that
    messages will only be permanently removed when the original folder is
    compacted, after the trash folder is emptied. Even if he read the IMAP
    section, he would have to make the connection between the two and realise
    about the problem.

    Possible solutions:
    =================

    A setting in the email client configuration exists (Edit -> Preferences ->
    Offline & Disk Space Preferences) that allows to automatically compact the
    message folders when the disk space entered will be saved by said
    compacting. The default value for this setting is 100kB. This feature is NOT
    enabled by default in the tested Netscape installation.

    Optionally, use the popup menu which appears on right-clicking a folder to
    manually compact it, when sensitive messages have been deleted by sending
    them to Trash.

    Reproducing the problem:
    =================

    A VBScript which will ask for an input Netscape mailbox file, and output
    individual .eml messages into a subdirectory called name_of_mailbox_eml is
    available for download at:

    http://www.sonar-security.com/files/..._converter.zip
    MD5 Sum: 202aebc3b3629303cd644f75f606dc15

    You are encouraged to review with an appropriate editor the source code of
    downloaded scripts before executing them.

    Vendor status:
    =================

    Netscape was notified of the problem on the 24th of December, 2002, via
    their online Security Bug Report Form, available at:

    http://help.netscape.com/forms/bug-security.html

    We haven't received a reply from Netscape, not even an automatic
    confirmation email of the bug report.

    References:
    =================

    [1] Netscape 7.0 email help file, Copyright © 1994-2002 Netscape
    Communications Corporation.
    http://www.netstcape.com



    Michael Puchol
    Sonar Security
    mailto:mpuchol@sonar-security.com

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Not really a serious vulnerability, seeing as even if Netscape 7 *did* delete the mail from trash, the underlying O/S almost certainly won't remove the data from the disc immediately.

    And untrusted users shouldn't be trawling your hard disc anyway.

  3. #3
    Navegate easy go for Avant Browser.

    Jorge
    Prohibido Prohibir

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •