Eudora Client and Path Disclosure Vulnerability
BID:1653
Info
Eudora Client and Path Disclosure Vulnerability
| Bugtraq ID: | 1653 |
| Class: | Unknown |
| CVE: | |
| Remote: | Unknown |
| Local: | No |
| Published: | Sep 07 2000 12:00AM |
| Updated: | Sep 07 2000 12:00AM |
| Credit: | First posted to Bugtraq by Yves Lepage <[email protected]> on September 7, 2000. |
| Vulnerable: |
Qualcomm Eudora 4.3 Qualcomm Eudora 4.2 |
| Not Vulnerable: | |
Discussion
Eudora Client and Path Disclosure Vulnerability
Eudora is a popular graphical e-mail client for Windows computers offered for free by Qualcomm. It has been reported to Bugtraq that Qualcomm's Eudora discloses system path information in email messages under certain conditions. If a message containing an attachment is replied to (the example given was a .VCF card) by an individual using Eudora containing the original message, a string is appended saying that the attachment was converted. This string lists the file, its full path on the client computer, revealing the directory structure of the client.
From the Bugtraq post:
"I sent an email to somebody who uses Eudora. I have a virtual card attached
to all my messages (VCF).
The person replied and as most mail program do, the original message (mine)
was included at the end, along with a nice little piece of information:
>
>Attachment Converted: "c:\program files\eudora\attach\Yves Lepage.vcf"
"
This information may (though this is unlikely) be used to assist further attacks against the client.
Eudora is a popular graphical e-mail client for Windows computers offered for free by Qualcomm. It has been reported to Bugtraq that Qualcomm's Eudora discloses system path information in email messages under certain conditions. If a message containing an attachment is replied to (the example given was a .VCF card) by an individual using Eudora containing the original message, a string is appended saying that the attachment was converted. This string lists the file, its full path on the client computer, revealing the directory structure of the client.
From the Bugtraq post:
"I sent an email to somebody who uses Eudora. I have a virtual card attached
to all my messages (VCF).
The person replied and as most mail program do, the original message (mine)
was included at the end, along with a nice little piece of information:
>
>Attachment Converted: "c:\program files\eudora\attach\Yves Lepage.vcf"
"
This information may (though this is unlikely) be used to assist further attacks against the client.
Exploit / POC
Eudora Client and Path Disclosure Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
Eudora Client and Path Disclosure Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].