[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information
From:       Renaud Lifchitz <r.lifchitz () sysdream ! com>
Date:       2006-02-28 22:57:07
Message-ID: 4404D543.1030402 () sysdream ! com
[Download RAW message or body]

Hello,

If you carefully look at the inline attachments, you will find this
(first proof of concept) :

<html><head></head><body style="margin: 0px; padding: 0px; border:
0px;"><iframe src="http://www.sysdream.com" width="100%" height="100%"
frameborder="0" marginheight="0" marginwidth="0"></iframe>

The information disclosure doesn't come from the first iframe, but from
the second one. Indeed, the inline attachment "basic.html" itself
contains a iframe, which is not correctly filtered and makes Thunderbird
fetch any external resource.


Best regards,

Renaud Lifchitz
http://www.sysdream.com




Daniel Veditz wrote:

>Renaud Lifchitz wrote:
>  
>
>>Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
>>    
>>
>
>We believe this to be a testing error. The problem of loading remote
>iframe and css content was fixed prior to the release of Mozilla
>Thunderbird 1.0
>
>The testcase included in the advisory contains the iframe and css
>content in-line with the message. That will always be shown as there is
>no privacy issue with doing so and does not demonstrate the remote
>loading issue claimed.
>
>Once a user has pressed the "Show Images" button--not the best label
>since it covers all remote content--that state is stored in the mailbox
>metadata/index file (.msf) and the remote content will then be loaded on
>future viewings. If the .msf file is not deleted between tests this
>could give the appearance of the bug described in the advisory.
>
>There is a minor residual privacy issue if people whose mail you keep
>and reread are setting webbugs on you (your boss could find out how many
>times you read his memo?), but in most cases your privacy is fully blown
>once you load the remote content the first time.
>
>
>  
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]