URI Creation may be exploitable over remote addressbooks

NEW
Unassigned

Status

MailNews Core
Address Book
10 years ago
6 years ago

People

(Reporter: prasad, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

10 years ago
Spin off from bug 410177 comment 27.

With reference to http://mxr.mozilla.org/mozilla/source/mail/components/addrbook/content/abCardViewOverlay.js#442 for Thunderbird and http://mxr.mozilla.org/mozilla/source/mailnews/addrbook/resources/content/abCardViewOverlay.js#441 for SeaMonkey - 

Addressbook creates a few mailto links and it is possible that these can be exploited.  As dmose said: "I suspect that it's possible to exploit this URI creation in weird ways by having a remote (e.g. LDAP) addressbook with a hostile email address or convincing someone to import a hostile vCard.  Can you file a spinoff bug to look into that?"

BTW, The code exists in mozilla/mail also, but does not effect Thunderbird.  Both in Thunderbird and Seamonkey, cvAddAddressNodes is called from DisplayCardViewPane - for Thunderbird 'null' is passed as the first argument (node) since there is no element by id cvAddresses in Thunderbird.
(Reporter)

Comment 1

10 years ago
Just a needs-investigation bug!

Updated

10 years ago
Summary: URI Creation is exploitable over remote addressbooks → URI Creation may be exploitable over remote addressbooks
(Assignee)

Updated

10 years ago
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.