Open
Bug 437084
Opened 16 years ago
Updated 2 years ago
URI Creation may be exploitable over remote addressbooks
Categories
(MailNews Core :: Address Book, defect)
MailNews Core
Address Book
Tracking
(Not tracked)
NEW
People
(Reporter: prasad, Unassigned)
Details
Spin off from bug 410177 comment 27. With reference to http://mxr.mozilla.org/mozilla/source/mail/components/addrbook/content/abCardViewOverlay.js#442 for Thunderbird and http://mxr.mozilla.org/mozilla/source/mailnews/addrbook/resources/content/abCardViewOverlay.js#441 for SeaMonkey - Addressbook creates a few mailto links and it is possible that these can be exploited. As dmose said: "I suspect that it's possible to exploit this URI creation in weird ways by having a remote (e.g. LDAP) addressbook with a hostile email address or convincing someone to import a hostile vCard. Can you file a spinoff bug to look into that?" BTW, The code exists in mozilla/mail also, but does not effect Thunderbird. Both in Thunderbird and Seamonkey, cvAddAddressNodes is called from DisplayCardViewPane - for Thunderbird 'null' is passed as the first argument (node) since there is no element by id cvAddresses in Thunderbird.
|
Reporter | |
Comment 1•16 years ago
|
||
Just a needs-investigation bug!
|
||
Updated•16 years ago
|
Summary: URI Creation is exploitable over remote addressbooks → URI Creation may be exploitable over remote addressbooks
|
Assignee | |
Updated•16 years ago
|
Product: Core → MailNews Core
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•