1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Security Vulnerability - Mozilla/Thunderbird Valid Email Address Enumeration Weakness

Discussion in 'Firefox, Thunderbird & SeaMonkey' started by Ramona, 2004/11/03.

Thread Status:
Not open for further replies.
  1. 2004/11/03
    Ramona

    Ramona Geek Member Alumni Thread Starter

    Joined:
    2001/12/31
    Messages:
    7,481
    Likes Received:
    2
    ----------------------------------------------------------------------
    [SA13086]
    November 3, 2004

    TITLE:
    Mozilla / Thunderbird Valid Email Address Enumeration Weakness

    SECUNIA ADVISORY ID:
    SA13086

    VERIFY ADVISORY:
    http://secunia.com/advisories/13086/

    CRITICAL:
    Not critical

    IMPACT:
    Exposure of system information

    WHERE:
    >From remote

    SOFTWARE:
    Mozilla 1.7.x
    http://secunia.com/product/3691/
    Mozilla Thunderbird 0.x
    http://secunia.com/product/2637/

    DESCRIPTION:
    plonk has discovered a weakness in Mozilla and Thunderbird, which can
    be exploited by malicious people to enumerate valid email addresses.

    The weakness is caused due to an improper behaviour where references
    to external stylesheets in HTML documents are followed. This can be
    exploited to validate the existence of an mail address when a
    malicious mail is opened.

    The weakness has been confirmed in Mozilla 1.7.3 and Thunderbird 0.8.
    Other versions may also be affected.

    SOLUTION:
    If this is considered a problem, then disable HTML support in
    emails:
    "View" --> "Message Body As" --> "Plain Text "

    PROVIDED AND/OR DISCOVERED BY:
    plonk

    ----------------------------------------------------------------------
     
    Ramona,
    #1
  2. 2004/11/03
    James

    James Inactive

    Joined:
    2004/07/14
    Messages:
    1,004
    Likes Received:
    0
    Well... in layman's terms, what does this mean? I guess since it is non-critical we can continue to use our Mozilla or Thunderbird mail and accept and send html mail with relatively little fear... right? I would imagine if we were doing business communications we might want to disable this function. This really sort of knocks the pins out from under me. I just uninstalled my Netscape and low and behold I'm still facing vulnerabilities. Boy... whoever said smply connecting to the internet was a **** shoot was right. I guess we can lessen the likelihood of being breached but there are no guarantees, eh? :(
     
    James,
    #2


  3. to hide this advert.

  4. 2004/11/03
    Ramona

    Ramona Geek Member Alumni Thread Starter

    Joined:
    2001/12/31
    Messages:
    7,481
    Likes Received:
    2
    James,

    Bless your heart, you just can't win this month, can you? Well, I'm not going to lose any sleep over this one. I did however do the suggested fix which was to disable HTML, and View messages in Plain Text. I post these advisories for information only. Not to get anyone upset, or have them lose faith in the best browsers on the Internet.

    This is from a very reliable source, and copied from another Forum:
    '
    Mozilla is the best in either patching or issuing a new Version with the vulnerability fixed. So relax my friend, and enjoy. ;)

    Ramona
     
    Ramona,
    #3
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...