OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Obscure (obscureeyeonsecurity.net)
Date: Sun Mar 10 2002 - 14:37:33 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Advisory Title: IMail Account hijack through the Web Interface
    Release Date: 10/03/2002
    Application: IMail Server

    Platform: Windows NT4
              Windows 2000
              Windows XP

    Version: 7.05 or earlier

    Severity: Malicious users can easily access other people's accounts.

    Author: Obscure^ [ obscureeyeonsecurity.net ]

    Vendor Status: Informed on 21 Feb 2002, a fix was already issued to
    customers.

    Web:

    http://www.eyeonsecurity.net
    http://www.ipswitch.com

    Background.

    (extracted from
    http://www.ipswitch.com/Products/IMail_Server/index.html)

    The 20-Minute E-Mail Solution.
    IMail Server is an easy-to-use, web-enabled, secure and
    spam-resistant
    mail server for Windows NT/2000/XP. It is the choice
    of businesses, schools, and service providers.

    A Great Price-Performer.
    Unlike Microsoft® Exchange and Lotus® Notes, which are costly to
    deploy and cumbersome to administer, IMail Server is easy
    to install and easy to manage. It has a simple pricing structure and
    is scalable to thousands of users per server.

    Problem.

    When a user logs in to his account through the Web interface, the
    session authentication is maintained via a unique URL.
    By sending an html e-mail which includes an image at another server,
    an attacker can easily get the unique URL via the
    referer field in the HTTP header.

    Exploit Example.

    http://eyeonsecurity.net/tools/referer.html
    A CGI script sends an e-mail with an attached image, pointing to
    another CGI script which sends the referer URL to the
    attacker.

    Fix

    Upgrade to IMail 7.06. The fixed version checks for the IP. The
    authentication now relies on the unique URL and the IP
    address. Of course users who log in to IMail Web interface from
    behind
    proxies, are still vulnerable.

    ps. this same vulnerability effects Excite WebMail. The Excite guys
    did not contact me back.

    Disclaimer.

    The information within this document may change without notice. Use
    of
    this information constitutes acceptance for use in an AS IS
    condition. There are NO warranties with regard to this information.
    In no event shall the author be liable for any consequences
    whatsoever
    arising out of or in connection with the use or spread of this
    information. Any use of this information lays within the user's
    responsibility.

    Feedback.

    Please send suggestions, updates, and comments to:

    Eye on Security
    mail : obscureeyeonsecurity.net
    web : http://www.eyeonsecurity.net