Re: IMail Account hijack through the Web Interface

From: Henrik Larsson (henrikat_private)
Date: Mon Mar 11 2002 - 15:05:40 PST

Next message: NetBSD Security Officer: "NetBSD Security Advisory 2002-004: Off-by-one error in openssh session"

Previous message: Mandrake Linux Security Team: "MDKSA-2002:022 - zlib update"
In reply to: Obscure: "IMail Account hijack through the Web Interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This (among other things in IMail v. 7.04 and earlier) was reported to 
Bugtraq by Niels Heinen (zilli0nat_private) on the 12th of October last year. 
The only difference is that this post reports that v. 7.05 is also 
vulnerable (if not patched).

http://online.securityfocus.com/archive/1/219970

On 21:37 2002-03-10 +0100 Obscure wrote:
>Advisory Title: IMail Account hijack through the Web Interface
>Release Date: 10/03/2002
>Application: IMail Server
>
>Platform: Windows NT4
>           Windows 2000
>           Windows XP
>
>Version: 7.05 or earlier
>
>Severity: Malicious users can easily access other people's accounts.
>
>Author: Obscure^ [ obscureat_private ]
>
>Vendor Status: Informed on 21 Feb 2002, a fix was already issued to
>customers.
>
>
>Web:
>
>http://www.eyeonsecurity.net
>http://www.ipswitch.com
>
>
>
>Background.
>
>(extracted from
>http://www.ipswitch.com/Products/IMail_Server/index.html)
>
>The 20-Minute E-Mail Solution.
>IMail Server is an easy-to-use, web-enabled, secure and
>spam-resistant
>mail server for Windows NT/2000/XP. It is the choice
>of businesses, schools, and service providers.
>
>A Great Price-Performer.
>Unlike Microsoft® Exchange and Lotus® Notes, which are costly to
>deploy and cumbersome to administer, IMail Server is easy
>to install and easy to manage. It has a simple pricing structure and
>is scalable to thousands of users per server.
>
>
>Problem.
>
>When a user logs in to his account through the Web interface, the
>session authentication is maintained via a unique URL.
>By sending an html e-mail which includes an image at another server,
>an attacker can easily get the unique URL via the
>referer field in the HTTP header.
>
>
>Exploit Example.
>
>http://eyeonsecurity.net/tools/referer.html
>A CGI script sends an e-mail with an attached image, pointing to
>another CGI script which sends the referer URL to the
>attacker.
>
>
>Fix
>
>Upgrade to IMail 7.06. The fixed version checks for the IP. The
>authentication now relies on the unique URL and the IP
>address. Of course users who log in to IMail Web interface from
>behind
>proxies, are still vulnerable.
>
>
>ps. this same vulnerability effects Excite WebMail. The Excite guys
>did not contact me back.
>
>
>Disclaimer.
>
>The information within this document may change without notice. Use
>of
>this information constitutes acceptance for use in an AS IS
>condition. There are NO warranties with regard to this information.
>In no event shall the author be liable for any consequences
>whatsoever
>arising out of or in connection with the use or spread of this
>information. Any use of this information lays within the user's
>responsibility.
>
>
>Feedback.
>
>Please send suggestions, updates, and comments to:
>
>Eye on Security
>mail :   obscureat_private
>web  :   http://www.eyeonsecurity.net

Next message: NetBSD Security Officer: "NetBSD Security Advisory 2002-004: Off-by-one error in openssh session"
Previous message: Mandrake Linux Security Team: "MDKSA-2002:022 - zlib update"
In reply to: Obscure: "IMail Account hijack through the Web Interface"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 12 2002 - 17:26:07 PST