Bugtraq mailing list archives

Re: Webmail.bellsouth.net security problems

From: marcs () ZNEP COM (Marc Slemko)
Date: Tue, 25 Aug 1998 16:46:41 -0700


On Tue, 25 Aug 1998, Leonid S. Knyshov wrote:

Dear Bugtraq readers and security at Bellsouth

Upon examining my log files, I came across an interesting fact.

Background:
As part of my Internet marketing efforts, I read web log files daily to
see if anything interesting comes up.


Yes, this basic issue has been posted several times to bugtraq in the
past six months or so.

It applies to most web based mail services.  The basic problem is that the
URL of a page is _not_ treated as confidential information by the client
and must not be used as such.  It can be exposed from many places; eg.
insecure logs of a proxy, referer header, user's history (use a public
access terminal to check your mail, log out, assuming the service doesn't
invalidate the session if you logout "properly", someone can walk up and
use your account), etc.

This is one of the situations where cookies are actually one of the better
solutions.  HTTP authentication is even better, but many people dislike it
because they can't control the login prompt and due to how it can be
cached by the client.


Just today I was reading my logs this way: grep welcome.html access.log

And among others there was this entry:

*.*.*.* - - [25/Aug/1998:07:28:02 -0700] "GET /welcome.html HTTP/1.0" 20
0 4427
"http://webmail.bellsouth.net/WebEmail?FormName=ReadMail&WebMail-Action=W
ebMail-MessageContent&WebMail-MsgNdx=3&WebMail-St=&WebMail-MailBox=INBOX&SEQ=Xnn
-43_tE0_PB9GePBFs8txjXohB-IdE&WebMail-MsgCount=69&locale=en&ver=2.0.0&dyn="
"Moz
illa/3.02Gold (WinNT; I)"

Naturally that sparked my interest, so I went to that exact same URL. I
was greeted with a message that 2 hours passed and I am logged off, but
that's not a good thing.

Concerns:
Bellsouth.net webmail customers accounts may be easily abused


Not necessarily.

The typical system will only allow access from the same IP address, so if
someone tries to access it from a different IP address, it won't work.

Some (eg. eudoramail) allow access to the whole /24 (or something
resembling that), presumably to deal with proxies.

Now the problem arises with proxies: what if you are coming through a
proxy?  What if someone else can come through the same proxy?  Then they
can access your mailbox.

And, of course, you can think of a million variations using javascript to
get them to follow the link but that gets boring.

Current thread:

Serious Security Hole in Hotmail Tom Cervenka (Aug 24)
- Re: Serious Security Hole in Hotmail Jeff Mcadams (Aug 25)
  - Re: Serious Security Hole in Hotmail Jonathan A. Zdziarski - Systems Administrator (Aug 25)
  - Webmail.bellsouth.net security problems Leonid S. Knyshov (Aug 25)
    - Re: Webmail.bellsouth.net security problems Marc Slemko (Aug 25)
    - Re: Webmail.bellsouth.net security problems Edward S. Marshall (Aug 25)
    - Re: Webmail.bellsouth.net security problems Kragen (Aug 25)
    - [paul () boehm org: [cert-advisory () cert org: CERT Summary CS-98.07]] Paul Boehm (Aug 26)
    - [djb () redhat com: Unidentified subject!] Paul Boehm (Aug 26)
    - SV: Serious Security Hole in Hotmail Jonathan James (Aug 26)
    - Re: Webmail.bellsouth.net security problems Joe (Aug 28)
    - [SECURITY] Seyon is vulnerable to a root exploit Martin Schulze (Aug 28)
    - Update on Linux unfsd Olaf Kirch (Aug 29)
    - Buffer overflows in Minicom 1.80.1 Eduardo Navarro (Aug 29)
    - Re: Buffer overflows in Minicom 1.80.1 Alan Brown (Aug 29)

(Thread continues...)