Re: [Full-disclosure] Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
Hello,
If you carefully look at the inline attachments, you will find this
(first proof of concept) :
<html><head></head><body style="margin: 0px; padding: 0px; border:
0px;"><iframe src="http://www.sysdream.com"; width="100%" height="100%"
frameborder="0" marginheight="0" marginwidth="0"></iframe>
The information disclosure doesn't come from the first iframe, but from
the second one. Indeed, the inline attachment "basic.html" itself
contains a iframe, which is not correctly filtered and makes Thunderbird
fetch any external resource.
Best regards,
Renaud Lifchitz
http://www.sysdream.com
Daniel Veditz wrote:
>Renaud Lifchitz wrote:
>
>
>>Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities
>>
>>
>
>We believe this to be a testing error. The problem of loading remote
>iframe and css content was fixed prior to the release of Mozilla
>Thunderbird 1.0
>
>The testcase included in the advisory contains the iframe and css
>content in-line with the message. That will always be shown as there is
>no privacy issue with doing so and does not demonstrate the remote
>loading issue claimed.
>
>Once a user has pressed the "Show Images" button--not the best label
>since it covers all remote content--that state is stored in the mailbox
>metadata/index file (.msf) and the remote content will then be loaded on
>future viewings. If the .msf file is not deleted between tests this
>could give the appearance of the bug described in the advisory.
>
>There is a minor residual privacy issue if people whose mail you keep
>and reread are setting webbugs on you (your boss could find out how many
>times you read his memo?), but in most cases your privacy is fully blown
>once you load the remote content the first time.
>
>
>
>