OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Zillion (zillionsafemode.org)
Date: Sun Mar 10 2002 - 22:11:43 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi all,

    I think this was already covered for Imail 7.04 in the following
    advisory:

    http://cert.uni-stuttgart.de/archive/bugtraq/2001/10/msg00082.html

    The workaround given by Ipswitch was:

    Turn off the "ignore source address in security check" option. This isn't
    a bullet proof workaround (think of proxies,nat etc) but can help to
    prevent abuse of this issue.

    zillion

    On Sun, 10 Mar 2002, Obscure wrote:

    > Advisory Title: IMail Account hijack through the Web Interface
    > Release Date: 10/03/2002
    > Application: IMail Server
    >
    > Platform: Windows NT4
    > Windows 2000
    > Windows XP
    >
    > Version: 7.05 or earlier
    >
    > Severity: Malicious users can easily access other people's accounts.
    >
    > Author: Obscure^ [ obscureeyeonsecurity.net ]
    >
    > Vendor Status: Informed on 21 Feb 2002, a fix was already issued to
    > customers.
    >
    >
    > Web:
    >
    > http://www.eyeonsecurity.net
    > http://www.ipswitch.com
    >
    >
    >
    > Background.
    >
    > (extracted from
    > http://www.ipswitch.com/Products/IMail_Server/index.html)
    >
    > The 20-Minute E-Mail Solution.
    > IMail Server is an easy-to-use, web-enabled, secure and
    > spam-resistant
    > mail server for Windows NT/2000/XP. It is the choice
    > of businesses, schools, and service providers.
    >
    > A Great Price-Performer.
    > Unlike Microsoft® Exchange and Lotus® Notes, which are costly to
    > deploy and cumbersome to administer, IMail Server is easy
    > to install and easy to manage. It has a simple pricing structure and
    > is scalable to thousands of users per server.
    >
    >
    > Problem.
    >
    > When a user logs in to his account through the Web interface, the
    > session authentication is maintained via a unique URL.
    > By sending an html e-mail which includes an image at another server,
    > an attacker can easily get the unique URL via the
    > referer field in the HTTP header.
    >
    >
    > Exploit Example.
    >
    > http://eyeonsecurity.net/tools/referer.html
    > A CGI script sends an e-mail with an attached image, pointing to
    > another CGI script which sends the referer URL to the
    > attacker.
    >
    >
    > Fix
    >
    > Upgrade to IMail 7.06. The fixed version checks for the IP. The
    > authentication now relies on the unique URL and the IP
    > address. Of course users who log in to IMail Web interface from
    > behind
    > proxies, are still vulnerable.
    >
    >
    > ps. this same vulnerability effects Excite WebMail. The Excite guys
    > did not contact me back.
    >
    >
    > Disclaimer.
    >
    > The information within this document may change without notice. Use
    > of
    > this information constitutes acceptance for use in an AS IS
    > condition. There are NO warranties with regard to this information.
    > In no event shall the author be liable for any consequences
    > whatsoever
    > arising out of or in connection with the use or spread of this
    > information. Any use of this information lays within the user's
    > responsibility.
    >
    >
    > Feedback.
    >
    > Please send suggestions, updates, and comments to:
    >
    > Eye on Security
    > mail : obscureeyeonsecurity.net
    > web : http://www.eyeonsecurity.net
    >
    >