X-RDate: Mon, 30 Mar 1998 08:53:53 +0600 (ESD)
Date: Sat, 28 Mar 1998 14:28:17 +0100
From: Rop Gonggrijp <rop@itsx.com>
To: BUGTRAQ@NETSPACE.ORG
Subject: Netscape passes mailbox path and message ID as refferer
This may be old stuff, but it surprised me. I was just made aware that when
someone clicks on a URL in an incoming message while reading mail in
Netscape's reader, at least some versions of Netscape pass Refferer URLs in
the following format to the server serving that URL:
> mailbox:/pbhrzs0/u5_s0/user_e/e99406/nsmail/Inbox?id=199802152301.AAA10398@xs2.xs4all.nl&number=2159429
> mailbox:/Power%20HD/System%20Folder/Preferences/Netscape%20Users/Brian/Mail/Jean%20Michel%20Jarre?id=19970825211854.31559@grendel.IAEhv.nl&number=2
> mailbox:/Harddisk/System%20Folder/Preferences/Netscape%20%C4/Mail/Jarre?id=199803172236.XAA18444@xs2.xs4all.nl&number=307371
> mailbox:/Z|/perso/Mail/Inbox?id=199803172236.XAA18444@xs2.xs4all.nl&number=203034
> mailbox:/home/fklee/nsmail/Inbox?id=199803172236.XAA18444@xs2.xs4all.nl&number=361
Note that in some configurations the user name shows up in the mailbox path,
along with information that might be usable for outside intrusions (such as
Windows share names), and that the message-ID of the E-mail message shows.
Maybe less surprising: It also passes file: URLs including the complete
path if you click in a file that's on disk. This also seems to include, at
least in some cases, the location of the bookmark file, including path.
> file:///c%7C/Program%20Files/Netscape/Users/jurjen_vdbroeck/bookmark.htm
This makes me even more happy to be running Junkbuster.
--
Rop Gonggrijp <rop@itsx.com>
