Dear Bugtraq readers and security at Bellsouth Upon examining my log files, I came across an interesting fact. Background: As part of my Internet marketing efforts, I read web log files daily to see if anything interesting comes up. Just today I was reading my logs this way: grep welcome.html access.log And among others there was this entry: *.*.*.* - - [25/Aug/1998:07:28:02 -0700] "GET /welcome.html HTTP/1.0" 20 0 4427 "http://webmail.bellsouth.net/WebEmail?FormName=ReadMail&WebMail-Action=W ebMail-MessageContent&WebMail-MsgNdx=3&WebMail-St=&WebMail-MailBox=INBOX&SEQ=Xnn -43_tE0_PB9GePBFs8txjXohB-IdE&WebMail-MsgCount=69&locale=en&ver=2.0.0&dyn=" "Moz illa/3.02Gold (WinNT; I)" Naturally that sparked my interest, so I went to that exact same URL. I was greeted with a message that 2 hours passed and I am logged off, but that's not a good thing. Concerns: Bellsouth.net webmail customers accounts may be easily abused Investigation: Just created an account to check out features, POP3 access without additional authentication I presume Oh my God... There is a tab "Personal Info" *gasp*... Address, phone number, place of work, etc. Obviously this is unacceptable. Incredibly easy to bypass security. One attack would be: to: unsuspecting_userat_private subject: check out my site! Hey buddy, check out my site! http://www.crashproofpc.com If they click they send me their UNLOCKED mailibox location via HTTP_REFERER, and if I have access to log files, I can easily get into that account and cause a great deal of trouble. I won't go into any further details :) -- Leonid S. Knyshov Information Technology Consultant Crashproof Solutions - "Keeping true to our name!" http://www.crashproofpc.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:13:29 PDT