Closed Bug 176016 Opened 22 years ago Closed 21 years ago

Sending an email can reveal the name of the profile directory secret .slt name, the username, or hostname

Categories

(MailNews Core :: Backend, defect)

Product:
MailNews Core
Component:
Backend
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
mozilla1.4beta

People

(Reporter: pioch, Assigned: sspitzer)

Details

(Whiteboard: [adt1])

Attachments

(1 file)

patch
2.48 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.2a) Gecko/20020926
Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.2a) Gecko/20020926

Quoting from http://mozilla.org/releases/mozilla1.2b/#problems

Your profile directory is located at:
    * ~/.mozilla/<profilename>/xxxxxxxx.slt/ on Unix
    * %WINDOWS%\Application Data\Mozilla\Profiles\<profilename>\xxxxxxxx.slt\ on
Windows
    * Documents:Mozilla:Profiles:<profilename>:xxxxxxxx.slt: on Mac OS.
  xxxxxxxx.slt is a randomly generated directory name. It's an important
security feature.

Well, if I print an email (either to a shared printer in an office/university,
or if I fax the email using Print and select a FAX printer,
of if I save/export the email as Acrobat/PDF using Print to PDF printer)

in the upper right corner of the printout, my "important security feature"
is revealed for anyone to read, with the full pathname to the user profile
folder, such as:

  mailbox:///C|/Docs/Users/pioch/h3iu39d3.slt/Mail/Local%20Folders/Inbox

This is not the place to debate security through obscurity
(I sure hope that it's not sufficient to find the name of the .slt directory
to hack into my machine) but there is one consistency problem here.

Either "this is an important security feature" as indicated in the release
notes, and it should be kept secret, or it is not, and the Release Notes/
official talk should know better?


Reproducible: Always

Steps to Reproduce:
1. Display any email stored locally (Local Folders)
2. Select File | Print, or Print Preview to view on-screen
3. Look in upper right corner

Actual Results:  
"Secret" profile name randomly generated xxxxxx.slt
"important security feature" is for all to read

Expected Results:  
Mailbox URLs should not print full path.
Maybe it could be assumed that everything is under the Mail directory
in the user profile, so

mailbox://Local%20Folders/Inbox

should be sufficient.
BTW, I know you can go into "Print Setup" and disable printing the URL
in the upper right corner.

However you usually do want the URL when you are printing a web page,
but you don't want it when it includes the .slt security feature.

Having to reconfigure Print Setup every time you print to avoid leaking
confidential information isn't exactly the most convenient or secure solution...

it's like having to reconfigure your Internet firewall every time you change
application :-)

Coonfirming. With local mail folders, and a short path to them, the full path
can be displayed at the top of the page.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Printing
Assignee: mstoltz → dcone
Severity: normal → major
Component: Security: General → Printing
Keywords: nsbeta1+
Priority: -- → P2
QA Contact: junruh → esther
Instead of printing
  mailbox:///C|/Docs/Users/pioch/h3iu39d3.slt/Mail/Local%20Folders/Inbox

there is already a URI scheme available that wouldn't reveal that much information:

  mailbox-message://nobody@Local Folders/Inbox#9219938

PS: I hope that for IMAP accounts the "nobody@" doesn't get replaced with your
IMAP login (this would leak information again, especially when you attach such
an email to forward it appended to another message)
Severity: major → normal
Component: Printing → Security: General
Priority: P2 → --
This looks like an issue for mail, not the printing back end. Mail needs to
disable printing of the URL when it specifies the print options.
Assignee: dcone → mscott
Component: Security: General → Mail Back End
re-assigning nsbeta1+ bugs
Assignee: mscott → sspitzer
Disabling printing the URL when printing is not sufficient:

If you drag and drop an image embedded inside an email you received
into an email you are composing (Compose Window) in the attachment area,
when you send out the email the .slt profile name is leaked once again:

Here are what the MIME headers look like:

Content-Type: image/jpeg;
 name="mailbox:///C|/Users/pioch/j8217hdt.slt/Mail/Local%20Folders/Lists?number=7852747&part=1.4&type=image/jpeg&filename=sit_2.jpg"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="mailbox:///C|/Users/pioch/j8217hdt.slt/Mail/Local%20Folders/Lists?number=7852747&part=1.4&type=image/jpeg&filename=sit_2.jpg"
Summary: Printing (or faxing) an email reveals the name of the profile directory secret .slt name → Sending/printing/faxing an email reveals the name of the profile directory secret .slt name
Mail triage team: need info.  Mitch, can you comment on the security
impliciations of this bug and the priority to fix this for Buffy?  Thanks.
Keywords: nsbeta1+nsbeta1
Whiteboard: [need info]
Do we reveal the profile path when _sending_ an email? If so, I would consider
this serious and a stop-ship. If this only happens during printing, it's less
serious, a "would like to have" for Buffy.

Reporter, the profile directory "salt" is an important feature that prevents
certain historical attacks against the information in your profile directory.
However, simply knowing the salt will not allow an attacker to access that
information; there are other lines of defense.
Yes, I'm aware of the histerical attacks against prefs.js
(in Netscape 4, overloading the user_pref() or lock_pref() javascript
function and loading prefs.js :-)

Make it a stop-ship then.

I opened this bug for printing/faxing then found out the .slt
was also leaked when sending an email, read comment 7 above
on how to reproduce.

Let me know if this isn't clear enough and I'll detail more how
drag'n'drop'ing an embedded image (cid:) from an email you received
into an email you're composing reveals your .slt profile name
in the MIME headers to the email recipient.

Just sent an email to myself according to the process described in comment 7
with Mozilla/1.3 Windows2000

and verified the .slt profile directory is still present in the MIME headers
of the message as received.

OK, let's get this fixed for Buffy.
Severity: normal → major
Mail triage: nsbeta1+/adt1
Keywords: nsbeta1nsbeta1+
Whiteboard: [need info] → [adt1]
"printing/faxing" is fixed in bug #118887

keeping this open for any sending issues.
Status: NEW → ASSIGNED
Summary: Sending/printing/faxing an email reveals the name of the profile directory secret .slt name → Sending an email reveals the name of the profile directory secret .slt name
No longer depends on: 118887
Attached patch patchSplinter Review 
prevent leakage of mail uris or urls that might reveal hostname, username, or
.slt path.
fixed, you should not longer be able to leak local, imap, or news message uris
or urls.

at least, I've plugged the printing/faxing hole, and now the message attach hole.

if we find other holes, I'll plug them too.
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Summary: Sending an email reveals the name of the profile directory secret .slt name → Sending an email can reveal the name of the profile directory secret .slt name, the username, or hostname
now when you dnd message parts or messages, the pretty name will be:

Attached Message
or
Attached Message Part

defined in composeMsgs.properties
robinf / esther / nbaca:  any better suggestion for the UI strings?
Target Milestone: --- → mozilla1.4beta
Using trunk build 20030515 on winxp, mac and linux printing mail messages from
imap folders, local folders no longer shows the location string at the top of
the printed page.  Dragging an image off a message to a compose window does not
show the location of where the message with the image is located.   It shows
Attached Message Part. Verified.
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: