Date: Wed, 4 Nov 1998 18:29:55 +0100 From: Holger van Lengerich To: BUGTRAQ@netspace.org Subject: Communicator 4.5 stores EVERY mail-password in preferences.js Hi! The Netscape Communicator 4.5 stores the crypted version of used mail-passwords (for imap and pop3) even if you tell Netscape to *not* "remember password" in the preferences dialog. Damage: ======= IMHO this means, that anybody who can read your preferences.js ("prefs.js" in the MS dominion) is problably able to read your mail or even get your plaintext-password. How to reproduce: ================= - start Communicator - be sure "remember password" is disabled in the preferences dialog for the "Incoming Mail Server". - get mails from Server (you get asked for your mail-password) - exit Communicator - edit preferences.js in $HOME/.netscape (MS-Users: prefs.js in your NS-Profile-Path) - search for something like: --- 8< --- user_pref("mail.imap.server.mail.password", "cRYpTPaSswD="); user_pref("mail.imap.server.mail.remember_password", false); --- >8 --- - Now change "false" to "true". - Save the file - Start Communicator - get mails ... now you are not asked for any password but can read all your mail! :( Affected: ========= probably all Communicator-4.5-packages on ALL operating systems. I was able to reproduce this behavior on: - Sun Solaris - Linux (glibc2) - MS Windows NT. Workaround: =========== Don't use Communicator 4.5 to fetch mails from your IMAP/POP server or be very sure that no one can read your Netscape-preferences-file!!! Regards, Holger van Lengerich, "pine"-user :) PS: The preferences.js is send to Netscape on Communicator-crash, isn't it? ---------------------------------------------------------------------------- Holger van Lengerich - University of Paderborn - Dept. of Computer Science System-Administration - Warburger Str. 100 - D 33098 Paderborn - Germany mailto:gimli@uni-paderborn.de - http://www.uni-paderborn.de/admin/gimli