Bugtraq mailing list archives
Re: Excite Email Disclosure Vulnerability
From: Obscure <obscure () eyeonsecurity net>
Date: Tue, 19 Mar 2002 21:57:14 +0100
Hello Jan, Tuesday, March 19, 2002, 12:01:36 AM, you wrote: JS> Hello all, JS> It appears that Excite's use of PHP allows for unauthorized access to a JS> users mailbox and subsequently his/her account on email.excite.com JS> Suppose a user receives an E-Mail with a URL and follows the link - the JS> target server receives a Referer String containing the PHPSESSION-Id JS> (http://e19.email.excite.com/msg_read.php?t=0&m=0&s=1&d=1&mid=157&PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX JS> for example). JS> Copy and paste this into your browser and you have access to that users JS> mailbox. JS> I emailed Excite about this on March 9th, but didn't get any response. JS> A proposed solution for Excite would be to use cookies or to use PHP in JS> such a manner that it does not transmit the session-id on each link. JS> -Jan Also reported to bugtraq and on EoS : http://eyeonsecurity.net/advisories/imail.html (Control+F, excite) I tried to contact them as well .. and similarly got no response. To exploit this to automatically get the URL, you would reference an IMAGE instead of expecting the user to follow a link. To test this check out I put up a small tool : http://eyeonsecurity.net/tools/referer.html -- Best regards, Obscure
Current thread:
- Excite Email Disclosure Vulnerability Jan Schaumann (Mar 19)
- Re: Excite Email Disclosure Vulnerability Obscure (Mar 20)