Hello, If you carefully look at the inline attachments, you will find this (first proof of concept) : <html><head></head><body style="margin: 0px; padding: 0px; border: 0px;"><iframe src="http://www.sysdream.com"; width="100%" height="100%" frameborder="0" marginheight="0" marginwidth="0"></iframe> The information disclosure doesn't come from the first iframe, but from the second one. Indeed, the inline attachment "basic.html" itself contains a iframe, which is not correctly filtered and makes Thunderbird fetch any external resource. Best regards, Renaud Lifchitz http://www.sysdream.com Daniel Veditz wrote: >Renaud Lifchitz wrote: > > >>Mozilla Thunderbird : Multiple Information Disclosure Vulnerabilities >> >> > >We believe this to be a testing error. The problem of loading remote >iframe and css content was fixed prior to the release of Mozilla >Thunderbird 1.0 > >The testcase included in the advisory contains the iframe and css >content in-line with the message. That will always be shown as there is >no privacy issue with doing so and does not demonstrate the remote >loading issue claimed. > >Once a user has pressed the "Show Images" button--not the best label >since it covers all remote content--that state is stored in the mailbox >metadata/index file (.msf) and the remote content will then be loaded on >future viewings. If the .msf file is not deleted between tests this >could give the appearance of the bug described in the advisory. > >There is a minor residual privacy issue if people whose mail you keep >and reread are setting webbugs on you (your boss could find out how many >times you read his memo?), but in most cases your privacy is fully blown >once you load the remote content the first time. > > > >
