Hello Jan, Tuesday, March 19, 2002, 12:01:36 AM, you wrote: JS> Hello all, JS> It appears that Excite's use of PHP allows for unauthorized access to a JS> users mailbox and subsequently his/her account on email.excite.com JS> Suppose a user receives an E-Mail with a URL and follows the link - the JS> target server receives a Referer String containing the PHPSESSION-Id JS> (http://e19.email.excite.com/msg_read.php?t=0&m=0&s=1&d=1&mid=157&PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX JS> for example). JS> Copy and paste this into your browser and you have access to that users JS> mailbox. JS> I emailed Excite about this on March 9th, but didn't get any response. JS> A proposed solution for Excite would be to use cookies or to use PHP in JS> such a manner that it does not transmit the session-id on each link. JS> -Jan Also reported to bugtraq and on EoS : http://eyeonsecurity.net/advisories/imail.html (Control+F, excite) I tried to contact them as well .. and similarly got no response. To exploit this to automatically get the URL, you would reference an IMAGE instead of expecting the user to follow a link. To test this check out I put up a small tool : http://eyeonsecurity.net/tools/referer.html -- Best regards, Obscure
This archive was generated by hypermail 2b30 : Wed Mar 20 2002 - 23:56:40 PST