Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4
From: "Ricardo J. Ulisses Filho" <ricardoj () hotlink com br>
Date: Fri, 15 Aug 2003 12:35:25 -0300

Hi,

I've made some tests here and could reproduce the same vulnerability behaviour 
described in your advisory. 
Reading about session handlers, in php.ini, there is an option called 
"session.use_only_cookies", that, if set, avoids such sort of attack which 
involves passing session ids in URLs.
Unfortunately, this option is not used by most default php.ini configurations.

Regards,

-- 
Ricardo J. Ulisses Filho
_____________________________
ricardoj () hotlink com br
System Administrator
HOTlink Internet - Recife / PE /  Brazil

On Wednesday 13 August 2003 18:26, Vincenzo 'puccio' Ciaglia wrote:
---------------------------
PUCCIOLAB.ORG - ADVISORIES
<http://www.pucciolab.org>
---------------------------

PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4

---------------------------------------------------------------------------
PuCCiOLAB.ORG Security Advisories                      puccio () pucciolab org
http://www.pucciolab.org                          Vincenzo 'puccio' Ciaglia
August 12th, 2003
---------------------------------------------------------------------------

Package        : Horde MTA
Vulnerability  : access to private account without login
Problem-Type   : remote
Version        : All < 2.2.4
Official Site  : http://horde.org/
N° Advisories  : 0001

***********************
Description of problem
************************
An attacker could send an email to the victim who ago use of HORDE MTA in
order to push it to visit a website. The website in issue log all the
accesses and describe in the particular the origin of every victim.

Example:
-------------------
MY STAT FOR MY WEBSITE - REFERENT DOMAIN
HTTP://MYSITE.MYSOCIETY.NET/HORDE/IMP/MESSAGE.PHP?HORDE=FC235847D2C8A88190C
879B290D12630&INDEX=XXX

In this example, the victim has visualized our website reading the mail
that we have sent to it. Visiting the link marked from our counter of
accesses, we will be able to approach the page of management of the mail of
the victim and will be able to read and to send, calmly, its email without
to make the login.The session comes sluice after approximately 20 minutes
and the hacker it has the time to make its comfortable ones.

*************************
What could make a attacker?
*************************
Read, write and fake your e-mail. Could send , from you email address, a
mail to your ISP and ask it User e PASS of your website.The consequences
would be catastrophic

*************************
What I can do ?
*************************
Upgrade your MTA Agent to 2.2.4 version.

Greet,
Vincenzo 'puccio' Ciaglia
www.pucciolab.org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault