Closed Bug 934302 Opened 11 years ago Closed 11 years ago

Images showing when remote content blocked

Categories

(Thunderbird :: Untriaged, defect)

Product:
Thunderbird
Component:
Untriaged
Version:
24 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 322533

People

(Reporter: simon.rose, Unassigned)

Details

Attachments

(1 file)

Spam email.txt
61.09 KB, text/plain
Details
Attached file Spam email.txt 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36

Steps to reproduce:

Loaded an email.


Actual results:

I received a spam email and normally Thunderbird blocks remote images. However in this email (and a lot of other emails), Thunderbird did not block the image.

Thunderbird said it had blocked remote content in this email, so this seems to be a bug? Also the URL they provided was hyperlinked. 

I have attached the source code of the email in a text file. It may have references to a virus (being a spam email). 


Expected results:

The image should not have shown.
Severity: normal → major
I don't think this is security sensitive that needs to be hidden. At the worst this is a csec-disclosure which would allow the confirmation of email addresses.

There are two images in the email:

<img src=3D"cid:04b9048113da477f8c85f8717da0bb15" style=3D"border: 0" />

and

<img width=3D"1" src=3D"http://francis-downer.us/statf.php?m=3D....&mid=
=3D33022">

The first image would be displayed since it is contained inline in the message and is not remote.

The second image should be blocked however.

Simon, are you sure the remote image was not blocked? If you right click on the image, do you see Copy Link Location and is the link http://www.francis-downer.us/ ? Then that is inline image that would not be blocked. 

The second image is only 1 pixel wide and might not be visible even if it were not displayed. If you have Wireshark or similar program installed you can figure out if there is an actual network request to fetch the image.
Group: core-security
Flags: needinfo?(simon.rose)
I did see only one image. So I'm guessing the other remote image was blocked. I just thought Thunderbird would block all images - didn't know about inline vs remote. And I'm guessing if it's inline - that doesn't present a security risk - otherwise Thunderbird would block it?
Flags: needinfo?(simon.rose)
Yeah, it is something I have wanted for a while. I'll dupe this against bug 322533. 

Thanks for the report! Don't get discouraged about how this was resolved!
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: