Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re[2]: [VulnWatch] IMail Account hijack through the Web Interface
From: Obscure <obscure () eyeonsecurity net>
Date: Tue, 12 Mar 2002 08:10:40 +0100

Hello Zillion,

Monday, March 11, 2002, 5:11:43 AM, you wrote:


Z> Hi all,

Z> I think this was already covered for Imail 7.04 in the following
Z> advisory:

Z> http://cert.uni-stuttgart.de/archive/bugtraq/2001/10/msg00082.html

Z> The workaround given by Ipswitch was:

Z> Turn off the "ignore source address in security check" option. This isn't
Z> a bullet proof workaround (think of proxies,nat etc) but can help to
Z> prevent abuse of this issue.

Z> zillion

Seems like this is old news ;)

As an additional workround:
In my testing, when using HTTPS (secure mode) to access your IMail
account, the referer is not being sent, meaning that clients using
HTTPS should not be vulnerable. This was tested with Internet Explorer 6
and Mozilla 0.9.8 against the tool at:
http://eyeonsecurity.net/tools/referer.html


Z> On Sun, 10 Mar 2002, Obscure wrote:

Advisory Title: IMail Account hijack through the Web Interface
Release Date: 10/03/2002
Application: IMail Server

Platform: Windows NT4
          Windows 2000
          Windows XP

Version: 7.05 or earlier

Severity: Malicious users can easily access other people's accounts.

Author: Obscure^ [ obscure () eyeonsecurity net ]

Vendor Status: Informed on 21 Feb 2002, a fix was already issued to
customers.


Web:

http://www.eyeonsecurity.net
http://www.ipswitch.com



Background.

(extracted from
http://www.ipswitch.com/Products/IMail_Server/index.html)

The 20-Minute E-Mail Solution.
IMail Server is an easy-to-use, web-enabled, secure and
spam-resistant
mail server for Windows NT/2000/XP. It is the choice
of businesses, schools, and service providers.

A Great Price-Performer.
Unlike Microsoft® Exchange and Lotus® Notes, which are costly to
deploy and cumbersome to administer, IMail Server is easy
to install and easy to manage. It has a simple pricing structure and
is scalable to thousands of users per server.


Problem.

When a user logs in to his account through the Web interface, the
session authentication is maintained via a unique URL.
By sending an html e-mail which includes an image at another server,
an attacker can easily get the unique URL via the
referer field in the HTTP header.


Exploit Example.

http://eyeonsecurity.net/tools/referer.html
A CGI script sends an e-mail with an attached image, pointing to
another CGI script which sends the referer URL to the
attacker.


Fix

Upgrade to IMail 7.06. The fixed version checks for the IP. The
authentication now relies on the unique URL and the IP
address. Of course users who log in to IMail Web interface from
behind
proxies, are still vulnerable.


ps. this same vulnerability effects Excite WebMail. The Excite guys
did not contact me back.


Disclaimer.

The information within this document may change without notice. Use
of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences
whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
responsibility.


Feedback.

Please send suggestions, updates, and comments to:

Eye on Security
mail :   obscure () eyeonsecurity net
web  :   http://www.eyeonsecurity.net




-- 
Best regards,
 Obscure                            mailto:obscure () zero6 net


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]