|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Thomas Corriher (tcorriher
earthlink.net)Date: Wed Jun 06 2001 - 11:36:39 CDT
On Tue, 5 Jun 2001, 3APA3A wrote:
> Author : 3APA3A <3APA3Asecurity.nnov.ru>
> Affected software : Netscape 4.7x All Platforms
> Vendor URL : http://www.netscape.com
> SECURITY.NNOV advisories: http://www.security.nnov.ru/advisories
>
> Background:
>
> Netscape Messanger uses internal protocol called mailbox://. The
> format of mailbox URI is
>
> mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber
>
> Problem:
>
> It's possible to retrieve mailbox:// URI of the message. E.g., it's
> possible to retrieve mailbox location, user's system login and in some
> cases path to Netscape installation.
This does not seem like a real issue to me, and it certainly
does not qualify as an exploit. This information would seem
useful only if we believed that security through obscurity had
merit. Compound this with the fact that most people are not even
trying to hide their user account names, and that Netscape mail
locations are typically standardized in default directories
anyway. This information appears to be useless for anyone trying
to compromise security.
It is interesting, and I would like to commend the poster for
his cleverness nevertheless.
-- Thomas Corriher
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]