Closed Bug 547568 Opened 15 years ago Closed 15 years ago

Spammers can force thunderbird to show inline porn images.

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 322533

People

(Reporter: dosergio, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729) Build Identifier: 20090605 up to the current version 3.0 I received some messages (spam) comming from porn advertisers. And they are being successfull to load their images without thunderbird to block, as thunderbird usually do in other messages. Reproducible: Always Steps to Reproduce: I will paste here part of the message source code for you to analise. They load the image in a different section of the message, and put it as image source with cid: identifier ! ----------------------------------------------------------------------------- MIME-Version: 1.0 Content-Type: Multipart/related; type="multipart/alternative"; boundary="------------C2318E1B.78010102" --------------C2318E1B.78010102 Content-Type: Multipart/Alternative; boundary="------------F7B0B2DD.2B5F7913" --------------F7B0B2DD.2B5F7913 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable --------------F7B0B2DD.2B5F7913 Content-Type: Text/HTML; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <html> <body> snowshine platerer unappreciable hyperphysically=2E typobar overleaf, na= to uncurling, nontrunked independentism ramets harmed kistfuls archipelagoes<br> <img src=3D"cid:103C0EED=2EB1800F91"><br> foreordains opulency indecomposableness summerize=2E upcountry filesave,= instates blurts, subtrochanteric=2E<br> </body> </html> --------------F7B0B2DD.2B5F7913-- --------------C2318E1B.78010102 Content-Type: image/png; name="vasiferous.png" Content-Transfer-Encoding: base64 Content-ID: <103C0EED.B1800F91> iVBORw0KGgoAAAANSUhEUgAAAIcAAADwCAMAAAAdHodBAAADAFBMVEVcRTiyl4f5//1OS0mI alSpjHiqyLyx0MvU0NCLpZxscm7St6oxLCt0jYxLNCvgyrp4ZVPt1suahXLs//7a/v0LDAqY (.....) Actual Results: Thunderbird loads and show offensive images without detecting and blocking them. Expected Results: Thunderbird should detect the trick, block the images and show a "Show Images" button. I have tested even in the most recent version (3.0) and the problem of the Porn Images being shown in the message without thunderbird detection and blocking, remains.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.