Bugtraq mailing list archives
Re: IMail Account hijack through the Web Interface
From: Henrik Larsson <henrik () larsson net>
Date: Tue, 12 Mar 2002 00:05:40 +0100
This (among other things in IMail v. 7.04 and earlier) was reported to Bugtraq by Niels Heinen (zilli0n () gmx net) on the 12th of October last year. The only difference is that this post reports that v. 7.05 is also vulnerable (if not patched).
http://online.securityfocus.com/archive/1/219970 On 21:37 2002-03-10 +0100 Obscure wrote:
Advisory Title: IMail Account hijack through the Web Interface Release Date: 10/03/2002 Application: IMail Server Platform: Windows NT4 Windows 2000 Windows XP Version: 7.05 or earlier Severity: Malicious users can easily access other people's accounts. Author: Obscure^ [ obscure () eyeonsecurity net ] Vendor Status: Informed on 21 Feb 2002, a fix was already issued to customers. Web: http://www.eyeonsecurity.net http://www.ipswitch.com Background. (extracted from http://www.ipswitch.com/Products/IMail_Server/index.html) The 20-Minute E-Mail Solution. IMail Server is an easy-to-use, web-enabled, secure and spam-resistant mail server for Windows NT/2000/XP. It is the choice of businesses, schools, and service providers. A Great Price-Performer. Unlike Microsoft® Exchange and Lotus® Notes, which are costly to deploy and cumbersome to administer, IMail Server is easy to install and easy to manage. It has a simple pricing structure and is scalable to thousands of users per server. Problem. When a user logs in to his account through the Web interface, the session authentication is maintained via a unique URL. By sending an html e-mail which includes an image at another server, an attacker can easily get the unique URL via the referer field in the HTTP header. Exploit Example. http://eyeonsecurity.net/tools/referer.html A CGI script sends an e-mail with an attached image, pointing to another CGI script which sends the referer URL to the attacker. Fix Upgrade to IMail 7.06. The fixed version checks for the IP. The authentication now relies on the unique URL and the IP address. Of course users who log in to IMail Web interface from behind proxies, are still vulnerable. ps. this same vulnerability effects Excite WebMail. The Excite guys did not contact me back. Disclaimer. The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. Feedback. Please send suggestions, updates, and comments to: Eye on Security mail : obscure () eyeonsecurity net web : http://www.eyeonsecurity.net
Current thread:
- IMail Account hijack through the Web Interface Obscure (Mar 11)
- Re: [VulnWatch] IMail Account hijack through the Web Interface Zillion (Mar 11)
- Re[2]: [VulnWatch] IMail Account hijack through the Web Interface Obscure (Mar 13)
- Re: IMail Account hijack through the Web Interface Henrik Larsson (Mar 13)
- Re: [VulnWatch] IMail Account hijack through the Web Interface Zillion (Mar 11)