PDA

Bekijk Volledige Versie : Potential disclosure of sensitive information in Netscape 7.0 email client



Michael Puchol
01/01/03, 21:59
Potential disclosure of sensitive information in Netscape 7.0 email client.

Overview:
=================

Netscape 7.0 includes, as part of it's release, an email client, capable of
handling POP3 and IMAP accounts. The method that the email client utilizes
to permanently delete email messages is not explained, which could lead to
users having large quantities of email messages, which they would think of
as permanently deleted, still stored in clear text on their hard disks.

Tested product:
=================

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.1) Gecko/20020823
Netscape/7.0 (from the About Netscape window)

Description:
=================

Netscape's email client stores received email messages in mailbox files,
which are basically sequentially written ASCII text files. A second file is
used to save the status of each individual message contained in the mailbox
file (read, unread, flagged, etc.).

When a user deletes an email message from, for example, his inbox folder
within the email client, it is sent to the 'Trash' folder. The user can then
right-click on this folder and select 'Empty trash' from the popup menu.

In most instances of Windows-based applications, this action would
permanently remove the contents of the trash folder, recycle bin, or
appropriate substitute. In Netscape's email client, it does not. The deleted
email messages are marked for removal in the status file which accompanies
the mailbox file. It is only when the user chooses to compact the folder
which contained the deleted email message (and not the trash folder!), that
the deleted messages are permanently removed.

Recovery of messages not permanently removed by compacting is trivial. A
simple file-parsing VBScript is all that is needed to extract all individual
messages from a mailbox file, and dump them as sepparate .eml files.

The help system [1] that accompanies Netscape's email client states the
following, under the section "Using Netscape Mail -> Deleting Messages":

// BEGIN QUOTE

"To delete messages from your Inbox or other folders, begin from the Mail
window:

1.. In the message list, select the messages and click Delete. By default,
Mail & Newsgroups moves the selected messages to the Trash folder.
2.. To delete messages permanently, open the File menu and choose Empty
Trash."

<........>

"To delete messages permanently:

a.. Open the File menu and choose Empty Trash."

// END QUOTE

It is misleading to state that to delete messages permanently, a user should
just simply "Empty Trash". To give Netscape a mitigating factor, in an
unrelated area of the help file (IMAP Server Settings), we find the
following statement:

// BEGIN QUOTE

"When I delete a message: Choose the behavior you want for deleted messages.
"Move it to the Trash folder" is recommended unless you are instructed to
use a different setting by your system administrator or service provider.
Messages marked as deleted are removed only when you compact folders."

// END QUOTE

However, such setting is NOT available, and it is NOT mentioned in any form
for POP maiboxes. So, a user reading only about setting up options or using
a POP account, would be unaware of this behaviour. He will not know that
messages will only be permanently removed when the original folder is
compacted, after the trash folder is emptied. Even if he read the IMAP
section, he would have to make the connection between the two and realise
about the problem.

Possible solutions:
=================

A setting in the email client configuration exists (Edit -> Preferences ->
Offline & Disk Space Preferences) that allows to automatically compact the
message folders when the disk space entered will be saved by said
compacting. The default value for this setting is 100kB. This feature is NOT
enabled by default in the tested Netscape installation.

Optionally, use the popup menu which appears on right-clicking a folder to
manually compact it, when sensitive messages have been deleted by sending
them to Trash.

Reproducing the problem:
=================

A VBScript which will ask for an input Netscape mailbox file, and output
individual .eml messages into a subdirectory called name_of_mailbox_eml is
available for download at:

http://www.sonar-security.com/files/netscape_email_converter.zip
MD5 Sum: 202aebc3b3629303cd644f75f606dc15

You are encouraged to review with an appropriate editor the source code of
downloaded scripts before executing them.

Vendor status:
=================

Netscape was notified of the problem on the 24th of December, 2002, via
their online Security Bug Report Form, available at:

http://help.netscape.com/forms/bug-security.html

We haven't received a reply from Netscape, not even an automatic
confirmation email of the bug report.

References:
=================

[1] Netscape 7.0 email help file, Copyright © 1994-2002 Netscape
Communications Corporation.
http://www.netstcape.com



Michael Puchol
Sonar Security
mailto:mpuchol@sonar-security.com

Bartek Raszczyk
02/01/03, 20:31
Hello Michael,

Wednesday, January 1, 2003, 12:19:49 PM, you wrote:

MP> Netscape 7.0 includes, as part of it's release, an email client, capable of
MP> handling POP3 and IMAP accounts. The method that the email client utilizes
MP> to permanently delete email messages is not explained, which could lead to
MP> users having large quantities of email messages, which they would think of
MP> as permanently deleted, still stored in clear text on their hard disks.

The same applies to Ritlab's The Bat! (up to version 1.60c i'm
currently using).

The Bat! stores all of the messages in
$thebathome\mail\$accountname\$foldername\Messages .tbb and
status information in Messages.tbi (without customization and
message filtering all mail goes to $foldername named inbox).
All messages remain there until Folder|Compress function is used.

The question is - is that a feature or a bug?
I'm using The Bat! for nearly three years now and it's there
from where I can remember (although there were dozen or so version changes).


--
Best regards,
Bartek Raszczyk mailto:crayfish@underground.org.pl