Title: Eudora Client and Path Disclosure Vulnerability
Severity: LOW
Description:
Eudora is a popular graphical e-mail client for Windows computers offered for free by Qualcomm. It has been reported to Bugtraq that Qualcomm's Eudora discloses system path information in email messages under certain conditions. If a message containing an attachment is replied to (the example given was a .VCF card) by an individual using Eudora containing the original message, a string is appended saying that the attachment was converted. This string lists the file, its full path on the client computer, revealing the directory structure of the client.
From the Bugtraq post:
"I sent an email to somebody who uses Eudora. I have a virtual card attached
to all my messages (VCF).
The person replied and as most mail program do, the original message (mine)
was included at the end, along with a nice little piece of information:
>
>Attachment Converted: "c:\program files\eudora\attach\Yves Lepage.vcf"
"
This information may (though this is unlikely) be used to assist further attacks against the client.
Affected Products:
- Qualcomm Eudora 4.2.0
- Qualcomm Eudora 4.3.0
References:
- Qualcomm: Eudora Product Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
