Closed Bug 547568 Opened 14 years ago Closed 14 years ago

Spammers can force thunderbird to show inline porn images.

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 322533

People

(Reporter: dosergio, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-BR; rv:1.9.2) Gecko/20100115 Firefox/3.6 (.NET CLR 3.5.30729)
Build Identifier: 20090605 up to the current version 3.0

I received some messages (spam) comming from porn advertisers.
And they are being successfull to load their images without thunderbird to block, as thunderbird usually do in other messages.

Reproducible: Always

Steps to Reproduce:
I will paste here part of the message source code for you to analise.
They load the image in a different section of the message, and put it as image source with cid: identifier !
-----------------------------------------------------------------------------
MIME-Version: 1.0
Content-Type: Multipart/related;
  type="multipart/alternative";
  boundary="------------C2318E1B.78010102"

--------------C2318E1B.78010102
Content-Type: Multipart/Alternative;
  boundary="------------F7B0B2DD.2B5F7913"

--------------F7B0B2DD.2B5F7913
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

--------------F7B0B2DD.2B5F7913
Content-Type: Text/HTML;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


<html>
<body>
snowshine platerer unappreciable hyperphysically=2E typobar overleaf, na=
to uncurling, nontrunked independentism ramets harmed
kistfuls archipelagoes<br>
<img src=3D"cid:103C0EED=2EB1800F91"><br>
foreordains opulency indecomposableness summerize=2E upcountry filesave,=
 instates blurts, subtrochanteric=2E<br>
</body>
</html>

--------------F7B0B2DD.2B5F7913--

--------------C2318E1B.78010102
Content-Type: image/png;
  name="vasiferous.png"
Content-Transfer-Encoding: base64
Content-ID: <103C0EED.B1800F91>

iVBORw0KGgoAAAANSUhEUgAAAIcAAADwCAMAAAAdHodBAAADAFBMVEVcRTiyl4f5//1OS0mI
alSpjHiqyLyx0MvU0NCLpZxscm7St6oxLCt0jYxLNCvgyrp4ZVPt1suahXLs//7a/v0LDAqY
(.....)

Actual Results:  
Thunderbird loads and show offensive images without detecting and blocking them.

Expected Results:  
Thunderbird should detect the trick, block the images and show a "Show Images" button.

I have tested even in the most recent version (3.0) and the problem of the Porn Images being shown in the message without thunderbird detection and blocking, remains.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.