3APA3A wrote: [snip] > Background: > > Netscape Messanger uses internal protocol called mailbox://. The > format of mailbox URI is > > mailbox://full_path_to_user_folder?ID=some_message_d&number=somenumber > > this URI contains full path to user's mailbox which usually contains > user's login name and in case of Windows 9x - the path to Netscape > installation. It's impossible to determine this location from > javascript inside e-mail message, because Netscape hides > document.location from javascript. > > Problem: > > It's possible to retrieve mailbox:// URI of the message. E.g., it's > possible to retrieve mailbox location, user's system login and in some > cases path to Netscape installation. > This vulnerability only affects the users local (on the client machine) mailbox. If a user keeps his mail on an IMAP server, the the referer will show up as an IMAP:// url. Workaround: Don't use POP3, and keep your mail on an IMAP server. /Mads