Mozilla Thunderbird inline HTML attachment information disclosure

thunderbird-inline-information-disclosure (24959)

Low Risk

Description:

Mozilla Thunderbird could allow a remote attacker to obtain sensitive information, caused by the failure to properly filter external images from inline HTML attachments. Even when the "Block loading of remote images in mail messages", a remote attacker could create an email with a malicious inline HTML attachment, that when loaded or replied to, would transmit sensitive information to the attacker. An attacker could use this information to launch further attacks against the affected system.

Platforms Affected:

• Canonical, Ubuntu 5.04
• Canonical, Ubuntu 5.10
• Debian, Debian Linux 3.1
• Gentoo, Linux
• MandrakeSoft, Mandrake Linux 2006 X86_64
• MandrakeSoft, Mandrake Linux 2006
• Mozilla, Thunderbird 1.5
• RedHat, Enterprise Linux 4 WS
• RedHat, Enterprise Linux 4 AS
• RedHat, Enterprise Linux 4 ES
• RedHat, Enterprise Linux 4 Desktop
• SuSE, SuSE Linux 10.0
• SuSE, SuSE Linux 9.1
• SuSE, SuSE Linux 9.2
• SuSE, SuSE Linux 9.3

Remedy:

Upgrade to the latest version of Thunderbird (1.5.0.2 or later) or (1.0.8 or later), as listed in Mozilla Foundation Security Advisory 2006-26. See References.

For Debian GNU/Linux (Mozilla):
Refer to DSA-1046-1 for patch, upgrade, or suggested workaround information. See References.

For Debian GNU/Linux (Thunderbird):
Refer to DSA-1051-1 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (Thunderbird):
Refer to Gentoo Linux Security Announcement GLSA 2006-05-09 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux (Mozilla):
Refer to Gentoo Linux Security Announcement GLSA 2006-04-18 for patch, upgrade, or suggested workaround information. See References.

For SUSE Linux:
Refer to SUSE Security Announcement SUSE-SA:2006:022 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Obtain Information

References:

• Full-Disclosure Mailing List, Tue Feb 28 2006 - 12:59:32 CST, Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities at http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0711.html.
• Full-Disclosure Mailing List, Tue Feb 28 2006 - 12:59:32 CST, Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities at http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0711.html.
• Full-Disclosure Mailing List, Tue Feb 28 2006 - 12:59:32 CST, Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities at http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0711.html.
• MFSA 2006-26, Mail Multiple Information Disclosure at http://www.mozilla.org/security/announce/2006/mfsa2006-26.html.
• ASA-2006-085: Mozilla Firefox and Thunderbird security update (RHSA-2006-0328 RHSA-2006-0329 RHSA-2006-330)
• ASA-2007-135: HP-UX Running Thunderbird Remote Unauthorized Access or Elevation of Privileges or Denial of Service (HPSBUX02156)
• BID-16881: Mozilla Thunderbird Multiple Remote Information Disclosure Vulnerabilities
• BID-17516: Mozilla Suite, Firefox, SeaMonkey, and Thunderbird Multiple Remote Vulnerabilities
• CVE-2006-1045: The HTML rendering engine in Mozilla Thunderbird 1.5, when Block loading of remote images in mail messages is enabled, does not properly block external images from inline HTML attachments, which could allow remote attackers to obtain sensitive information, such as application version or IP address, when the user reads the email and the external image is accessed.
• DSA-1046: mozilla -- several vulnerabilities
• DSA-1051: mozilla-thunderbird -- several vulnerabilities
• GLSA-200604-18: Mozilla Suite: Multiple vulnerabilities
• GLSA-200605-09: Mozilla Thunderbird: Multiple vulnerabilities
• MDKSA-2006:078: Updated mozilla-thunderbird packages fix numerous vulnerabilities
• RHSA-2006-0330: thunderbird security update
• SUSE-SA:2006:022: MozillaThunderbird various problems
• USN-276-1: Thunderbird vulnerabilities
• VUPEN/ADV-2006-1356: Mozilla Products Memory Corruption and Information Disclosure Vulnerabilities
• VUPEN/ADV-2006-3749: HP-UX Security Update Fixes Mozilla Thunderbird Code Execution Vulnerabilities

Reported:

Feb 28, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page