Re: PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4

["Ricardo J. Ulisses Filho" <ricardoj () hotlink com br>]

Hi,

I've made some tests here and could reproduce the same vulnerability behaviour 
described in your advisory. 
Reading about session handlers, in php.ini, there is an option called 
"session.use_only_cookies", that, if set, avoids such sort of attack which 
involves passing session ids in URLs.
Unfortunately, this option is not used by most default php.ini configurations.

Regards,

-- 
Ricardo J. Ulisses Filho
_____________________________
ricardoj () hotlink com br
System Administrator
HOTlink Internet - Recife / PE /  Brazil

On Wednesday 13 August 2003 18:26, Vincenzo 'puccio' Ciaglia wrote:
> ---------------------------
> PUCCIOLAB.ORG - ADVISORIES
> <http://www.pucciolab.org>
> ---------------------------
>
> PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4
>
> ---------------------------------------------------------------------------
> PuCCiOLAB.ORG Security Advisories                      puccio () pucciolab org
> http://www.pucciolab.org                          Vincenzo 'puccio' Ciaglia
> August 12th, 2003
> ---------------------------------------------------------------------------
>
> Package        : Horde MTA
> Vulnerability  : access to private account without login
> Problem-Type   : remote
> Version        : All < 2.2.4
> Official Site  : http://horde.org/
> N° Advisories  : 0001
>
> ***********************
> Description of problem
> ************************
> An attacker could send an email to the victim who ago use of HORDE MTA in
> order to push it to visit a website. The website in issue log all the
> accesses and describe in the particular the origin of every victim.
>
> Example:
> -------------------
> MY STAT FOR MY WEBSITE - REFERENT DOMAIN
> HTTP://MYSITE.MYSOCIETY.NET/HORDE/IMP/MESSAGE.PHP?HORDE=FC235847D2C8A88190C
> 879B290D12630&INDEX=XXX
>
> In this example, the victim has visualized our website reading the mail
> that we have sent to it. Visiting the link marked from our counter of
> accesses, we will be able to approach the page of management of the mail of
> the victim and will be able to read and to send, calmly, its email without
> to make the login.The session comes sluice after approximately 20 minutes
> and the hacker it has the time to make its comfortable ones.
>
> *************************
> What could make a attacker?
> *************************
> Read, write and fake your e-mail. Could send , from you email address, a
> mail to your ISP and ask it User e PASS of your website.The consequences
> would be catastrophic
>
> *************************
> What I can do ?
> *************************
> Upgrade your MTA Agent to 2.2.4 version.
>
> Greet,
> Vincenzo 'puccio' Ciaglia
> www.pucciolab.org