Date: Thu, 8 Apr 1999 22:22:39 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: Foxfair Hu <foxfair@news.ks.edu.tw>, freebsd-security@FreeBSD.ORG Subject: Re: Fw: Netscape 4.5 vulnerability Message-ID: <Pine.BSF.3.96.990408222051.17455A-100000@fledge.watson.org> In-Reply-To: <199904090133.SAA16835@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 8 Apr 1999, Matthew Dillon wrote: > :Forwarded by Foxfair Hu <foxfair@news.ks.edu.tw> > :---------------- Original message follows ---------------- > : From: Alexey Pavlov <paaa@UIC.NNOV.RU> > : To: BUGTRAQ@netspace.org > : Date: Thu, 8 Apr 1999 21:12:27 +0400 > : Subject: Netscape 4.5 vulnerability > :-- > : > :I found method how to get users passwords from Netscape 4.5 for FreeBSD > : ~user/.netscape/liprefs.js file. This file is used for storing user > :last > :session preferences .This file also contains encrypted password for > :pop3. > :Not like a DES , this encryption can be decrypted. As a result of many > :experiments i wrote this program. It gives me almost all passwords in my > : system, because all people use Netscape. > :Here is src of this decryption programm: > > The 'security hole' is that netscape doesn't make the .netscape > directory 700. I'd report it to netscape. I dunno whether they > will do anything about it, though. Huh. Didn't do that for me; mine is safely readable and writable only for my uid. And there are a lot of posts to bugtraq about programs that store passwords unencrypted and it always surprises me that people are still complaining about it :-). As you suggest, the real issue is the access control used to protect the data object, which in Windows are nil, of course. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ Safeport Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990408222051.17455A-100000>