mailing list archives
Re: Excite Email Disclosure Vulnerability
From: Obscure <obscure () eyeonsecurity net>
Date: Tue, 19 Mar 2002 21:57:14 +0100
Tuesday, March 19, 2002, 12:01:36 AM, you wrote:
JS> Hello all,
JS> It appears that Excite's use of PHP allows for unauthorized access to a
JS> users mailbox and subsequently his/her account on email.excite.com
JS> Suppose a user receives an E-Mail with a URL and follows the link - the
JS> target server receives a Referer String containing the PHPSESSION-Id
JS> for example).
JS> Copy and paste this into your browser and you have access to that users
JS> I emailed Excite about this on March 9th, but didn't get any response.
JS> such a manner that it does not transmit the session-id on each link.
Also reported to bugtraq and on EoS :
http://eyeonsecurity.net/advisories/imail.html (Control+F, excite)
I tried to contact them as well .. and similarly got no response. To exploit
this to automatically get the URL, you would reference an IMAGE instead of expecting
the user to follow a link.
To test this check out I put up a small tool :