Re: Webmail.bellsouth.net security problems

From: Joe (joeat_private)
Date: Fri Aug 28 1998 - 14:05:26 PDT

Next message: Martin Schulze: "[SECURITY] Seyon is vulnerable to a root exploit"

Previous message: Paul Ashton: "Re: Security Hole in Axent ESM"
Maybe in reply to: Leonid S. Knyshov: "Webmail.bellsouth.net security problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.news.com/News/Item/0,4,25830,00.html

(Leonard got a nice plug for his site by they way :)

Bellsouth says they've fixed their Webmailer. It now checks the IP address
to make sure it matches the IP they authenticated with.

Gee, someone with access to server log files might also be savvy enough to
spoof an ip address. Ya think?

This isn't a patch it's a band-aide.


On Tue, 25 Aug 1998, Leonid S. Knyshov wrote:

> Dear Bugtraq readers and security at Bellsouth
>
> Upon examining my log files, I came across an interesting fact.
>
> Background:
> As part of my Internet marketing efforts, I read web log files daily to
> see if anything interesting comes up.
>
> Just today I was reading my logs this way: grep welcome.html access.log
>
> And among others there was this entry:
>
> *.*.*.* - - [25/Aug/1998:07:28:02 -0700] "GET /welcome.html HTTP/1.0" 20
> 0 4427
> "http://webmail.bellsouth.net/WebEmail?FormName=ReadMail&WebMail-Action=W
> ebMail-MessageContent&WebMail-MsgNdx=3&WebMail-St=&WebMail-MailBox=INBOX&SEQ=Xnn
> -43_tE0_PB9GePBFs8txjXohB-IdE&WebMail-MsgCount=69&locale=en&ver=2.0.0&dyn="
> "Moz
> illa/3.02Gold (WinNT; I)"
>
> Naturally that sparked my interest, so I went to that exact same URL. I
> was greeted with a message that 2 hours passed and I am logged off, but
> that's not a good thing.
>
> Concerns:
> Bellsouth.net webmail customers accounts may be easily abused
>
> Investigation:
> Just created an account to check out features,
> POP3 access without additional authentication I presume
> Oh my God... There is a tab "Personal Info" *gasp*...
> Address, phone number, place of work, etc.
>
> Obviously this is unacceptable. Incredibly easy to bypass security.
>
> One attack would be:
> to: unsuspecting_userat_private
> subject: check out my site!
>
> Hey buddy, check out my site! http://www.crashproofpc.com
>
> If they click they send me their UNLOCKED mailibox location via
> HTTP_REFERER, and if I have access to log files, I can easily get into
> that account and cause a great deal of trouble. I won't go into any
> further details :)
> --
> Leonid S. Knyshov
> Information Technology Consultant
> Crashproof Solutions - "Keeping true to our name!"
> http://www.crashproofpc.com
>

--
Joe H.                                  Technical Support
General Support:  supportat_private     Blarg! Online Services, Inc.
Voice:  425/401-9821 or 888/66-BLARG    http://www.blarg.net

Next message: Martin Schulze: "[SECURITY] Seyon is vulnerable to a root exploit"
Previous message: Paul Ashton: "Re: Security Hole in Axent ESM"
Maybe in reply to: Leonid S. Knyshov: "Webmail.bellsouth.net security problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:01 PDT