Home page logo

bugtraq logo Bugtraq mailing list archives

Remote File Attachment Theft via comm.lycos.com,angelfire.com, eudoramail.com
From: Philip Stoev <philip () STOEV ORG>
Date: Tue, 28 Nov 2000 22:18:58 +0200

Hash: SHA1

Date Published: November 28, 2000

Title: Remote File Attachment Theft via comm.lycos.com,angelfire.com,

Class: Access Validation Error

Remotely Exploitable: Yes

Vulnerability Description:

WebMail (possibly WhoWhere.com software) as installed on
comm.lycos.com, angelfire.com, eudoramail.com and others allows an
attacker to hijack other people's attachments by modifying the hidden
form fields on the compose message form. If a file is attached to a
message, the compose message form has a hidden form field that looks
something like this:

filename.txt = /tmp/cache/24377.550

By setting it to a similar value, one can send email containing
someone else's attachments. For example:

filename.txt = /tmp/cache/24377.549

It was also possible to do ../..-style directory transversal.

The nature of the problem lies in the following:

1. User is allowed to reference attachments belonging to other users,
that is, there were no file-ownership checks.
2. User input was not validated for ".." character sequences.
3. Naming of temporary files followed an easy-to-predict numbering

Technical Description - Exploit/Concept Code:

This problem is trivial to exploit by hand by saving the compose
message HTML form locally and modifying it. However, it is imperative
to note that enforcing strict user-agent, cookie and referer check
does not prevent such vulnerabilities from being exploited. There are
publicly available tools (Such as The ELZA at www.stoev.org) that
allow for the exploitation of such vulnerabilities, while preserving
stealth behavior with respect to cookies, referers and user-agent
strings to the extent required to keep the web site software happy.

Solution/Vendor Information/Workaround:

The vendor has fixed this particular problem, however all web mail
vendors are hereby urged to evaluate their systems for similar

Vendor notified on: November 8, 2000

Credits: This vulnerability was discovered and reported by Philip
Stoev <philip () stoev org>.

This advisory was drafted with the help of the SecurityFocus.com
Vulnerability Help Team. For more information or assistance drafting
advisories please mail vulnhelp () securityfocus com 

Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: www stoev org


  By Date           By Thread  

Current thread:
  • Remote File Attachment Theft via comm.lycos.com,angelfire.com, eudoramail.com Philip Stoev (Nov 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]