Closed Bug 72131 Opened 24 years ago Closed 23 years ago

Getting mail directory path using relative link

Categories

(MailNews Core :: Security, defect, P2)

x86
Windows NT
defect

Tracking

(Not tracked)

VERIFIED FIXED
mozilla0.9.1

People

(Reporter: security-bugs, Assigned: mscott)

References

Details

(Whiteboard: [nsbeta1+])

Attachments

(1 file)

It is possible email message to find the directory where the POP3 mailbox is. This may lead to attacks against prefs.js. The code in email message is: ---------------------------------------------- <A HREF="#">LINK1</A> <script> alert(document.links[0].href); </script> ---------------------------------------------- Georgi Guninski
QA Contact: junruh → ckritzer
Qa > ckritzer
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.1
Mitch and I think this bug depends on 77539 where the base tag mime is generating isn't being honored.
Depends on: 77539
assigning to mscott (mstoltz believs that your fix to some other bug fixes this one). If not, please bounce it back to mstoltz.
Assignee: mstoltz → mscott
Status: ASSIGNED → NEW
Keywords: nsbeta1
Priority: -- → P2
Whiteboard: [nsbeta1+]
Okay this blocks calls on nsMsgMailNewsUrl::Resolve. The only time a partial url can get resolved against a mailnews url is if it's an anchor tag. (See 54373). Although as I look at this bug report I see that the attack is actually using an anchor tag to found out the mail path. So I"m not sure how to fix this bug now. We don't want to lose the ability to have anchors in mail messages if we can avoid it. Most of our managers use anchors when they write their weekly status reports and they need to work in the message pand when reading the message =).
An alternative amy be to block scripts in messages from accessing anchor URLs. I can do that from my end, I think.
Scott, let's check in your patch, and in addition I'll block scripts in mail from accessing HTMLAnchor.href and related properties. Combined, I think that will solve the problem. r=mstoltz on your patch, FWIW.
cool. thanks Mitch. I'm checking this bad boy in as soon as the tree opens tonight.
I checked in the mailnews part to this bug.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
I already checked in the caps part. That should do it.
No alert thrown. I also added a document.write() statement and it didn't display that either. Nice job dudes. Marking VERIFIED FIXED on: -MacOS91 2001-05-23-08-trunk -Win98SE 2001-05-23-09-trunk -LinRH62 2001-05-23-08-trunk
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core
Group: netscapeconfidential
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: