Re: Netscape Communicator 4.x sensitive informations in configuration file
From: Byron York (byron@benefitrecovery.com)
Date: 02/28/03
- Previous message: Martin Eiszner: "axis2400 webcams"
- In reply to: Marc Ruef: "Netscape Communicator 4.x sensitive informations in configuration file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 Feb 2003 10:33:38 -0600 From: Byron York <byron@benefitrecovery.com> To: Marc Ruef <marc.ruef@computec.ch>
We use Netscape 4.74 with roaming profiles using POP3, and my prefs.js file
keeps the password hidden:
user_pref("mail.pop_name", "byron");
user_pref("mail.pop_password", "encryptedstuff");
user_pref("mail.remember_password", true);
I am not sure if the encryption is turned on someplace, but I suspect it is
on by default, for it is definitely there for all of our POP clients using
4.74.
Cheers,
Byron
Marc Ruef wrote:
> Hi!
>
> It seems that I'm one of the last Netscape 4.x users. During my research
> for using roaming profiles I've checked a file named prefs.js in my
> netscape folder (C:\Program Files\Netscape\Users\mruef).
>
> The following paste shows the IMAP mail part of this configuration file.
> You can see that the line 17 shows the unencrypted password
> ("MyPassword4").
>
> --- cut ---
>
> user_pref("mail.imap.server.imap.computec.ch.admin_url", "");
> user_pref("mail.imap.server.imap.computec.ch.capability", 4641);
> user_pref("mail.imap.server.imap.computec.ch.check_new_mail", true);
> user_pref("mail.imap.server.imap.computec.ch.check_time", 60);
> user_pref("mail.imap.server.imap.computec.ch.cleanup_folders_on_exit",
> false);
> user_pref("mail.imap.server.imap.computec.ch.cleanup_inbox_on_exit",
> false);
> user_pref("mail.imap.server.imap.computec.ch.delete_model", 2);
> user_pref("mail.imap.server.imap.computec.ch.dual_use_folders", true);
> user_pref("mail.imap.server.imap.computec.ch.empty_trash_on_exit",
> false);
> user_pref("mail.imap.server.imap.computec.ch.empty_trash_threshhold",
> 0);
> user_pref("mail.imap.server.imap.computec.ch.isSecure", true);
> user_pref("mail.imap.server.imap.computec.ch.namespace.other_users",
> "");
> user_pref("mail.imap.server.imap.computec.ch.namespace.personal",
> "\"INBOX.\"");
> user_pref("mail.imap.server.imap.computec.ch.namespace.public",
> "\"shared.\"");
> user_pref("mail.imap.server.imap.computec.ch.offline_download", false);
> user_pref("mail.imap.server.imap.computec.ch.override_namespaces",
> true);
> user_pref("mail.imap.server.imap.computec.ch.password", "MyPassword4");
> user_pref("mail.imap.server.imap.computec.ch.remember_password", true);
> user_pref("mail.imap.server.imap.computec.ch.server_sub_directory", "");
> user_pref("mail.imap.server.imap.computec.ch.userName", "mruef");
> user_pref("mail.imap.server.imap.computec.ch.using_subscription", true);
>
> -- cut ---
>
> This is also true for POP3 and perhaps for SMTP, NNTP and LDAP
> passwords. The passwords are only stored if the remember password option
> is set (e.g. line 18).
>
> It may be possible to extract these passwords during a sneaking access
> to the system (local or remote by a backdoor)[1, 2] or examine a backup.
> This weakness should be keeped in mind.
>
> I'm not sure if this vulnerability exists in other Netscape versions
> (e.g. 6 or 7).
>
> Bye, Marc
>
> [1] http://www.idefense.com/advisory/11.19.02c.txt
> [2] http://www.securityfocus.com/bid/6215
>
> --
> Computer, Technik und Security http://www.computec.ch/
> Meine private Webseite http://www.computec.ch/mruef/
- Next message: Barry Zubel: "RE: axis2400 webcams"
- Previous message: Martin Eiszner: "axis2400 webcams"
- In reply to: Marc Ruef: "Netscape Communicator 4.x sensitive informations in configuration file"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
