Re: Excite Email Disclosure Vulnerability

[Obscure <obscure () eyeonsecurity net>]

Hello Jan,

Tuesday, March 19, 2002, 12:01:36 AM, you wrote:

JS> Hello all,

JS> It appears that Excite's use of PHP allows for unauthorized access to a
JS> users mailbox and subsequently his/her account on email.excite.com

JS> Suppose a user receives an E-Mail with a URL and follows the link - the
JS> target server receives a Referer String containing the PHPSESSION-Id
JS> (http://e19.email.excite.com/msg_read.php?t=0&m=0&s=1&d=1&mid=157&PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
JS> for example).

JS> Copy and paste this into your browser and you have access to that users
JS> mailbox.

JS> I emailed Excite about this on March 9th, but didn't get any response.
JS> A proposed solution for Excite would be to use cookies or to use PHP in
JS> such a manner that it does not transmit the session-id on each link.

JS> -Jan

Also reported to bugtraq and on EoS :
http://eyeonsecurity.net/advisories/imail.html   (Control+F, excite)

I tried to contact them as well .. and similarly got no response. To exploit
this to automatically get the URL, you would reference an IMAGE instead of expecting
the user to follow a link.

To test this check out I put up a small tool :
http://eyeonsecurity.net/tools/referer.html

-- 
Best regards,
 Obscure