You are here

1.5.0.12 / newmsg / security risk

4 posts / 0 new
Last post
v4ixapdbm
Offline
Last seen: 16 years 3 months ago
Joined: 2007-06-20 17:15
1.5.0.12 / newmsg / security risk

I have discovered that, while downloading new messages, there is a file "newmsg" that is saved on the hard drive in the local user's temp directory (\Documents and Settings\[user]\Local Settings\Temp\). It seems to be a placeholder for the current message being downloaded. When the message is downloaded, "newmsg" is removed and apparently imported into the Thunderbird mailbox. then, "newmsg" is recreated for the next incoming message. I have opened up the "newmsg" file in Notepad, and it is the full e-mail, headers and all!

If an adversary gets access to the hard drive from the computer that Portable Thunderbird was run from, it might be easy to recover the contents of all of the "newmsg" files. Seems like a huge security risk.

How can the location of this "newmsg" be changed? I would like to change it so it puts it on the USB flash drive that Portable Thunderbird is running from.

Also, what other personally identifiable files are put on the hard drive? And, how to change the location of these files so they are put on the USB flash drive instead?

v4ixapdbm
Offline
Last seen: 16 years 3 months ago
Joined: 2007-06-20 17:15
progress...

i upgraded to 2.0.0.4 and decided to look through the options. i believe the option located in privacy -> anti-virus -> allow anti-virus clients to.... is what triggers this security hole. i unchecked that option and now the newmsg no longer appears. however, i would still like for the message to be scanned by the anti-virus. so, what really needs to happen is for that newmsg file be saved locally to the usb stick. anyone know of an option somewhere perhaps in the config editor to change this? i will ask my question in the mozillazine forums as well.

Aciago
Aciago's picture
Offline
Last seen: 8 months 1 week ago
Joined: 2007-01-24 14:23
I read...

Somewhere a command line option for ClamWin to scan mails just when they download to the client... Is that what you want? I think I read that here on Papps.com forum but don't remember where exactly... sorry!

------------------
I have no signature again... Cry

If a packet hits a pocket on a socket on a port,
and the bus is interrupted as a very last resort,
and the address of the memory makes your floppy disk abort,
then the socket packet pocket has an error to report Biggrin

v4ixapdbm
Offline
Last seen: 16 years 3 months ago
Joined: 2007-06-20 17:15
it doesn't seem to be

it doesn't seem to be configurable in about:config.

i request that this feature be addressed in the next release of portable firefox so the 'newmsg' file is saved to someplace on the same drive that portablefirefox.exe is running from. seems simple enough to me.

also, any other files that are written to the hard disk that can be written to the drive that portablefirefox.exe is run from should also be addressed.

Log in or register to post comments