Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Mail.com Hosted E-mail Service Input Validation Flaw Lets Remote Users Modify Account Settings
|
|
SecurityTracker Alert ID: 1005152 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 29 2002
|
Impact: Modification of user information, User access via network
|
Exploit Included: Yes
|
Description: An input validation flaw was reported in the 'Mail.com' iName hosted e-mail service. A remote user can create HTML that, when loaded by a target user, will change the target user's e-mail account information.
It is reported that the '/scripts/mail/mesg.mail' script does not remove scripting code from HTML attachments. In addition, the
'/scripts/common/profile.cgi' script reportedly accepts information submitted by untrusted servers. A remote user can create HTML
containing Javascript code and send the HTML in a file attachment to a target user. When the target user opens the malicious e-mail
message, the code will be executed by the target user's browser. The code may redirect the browser to the remote user's site, which
can then perform another redirect back to the 'profile.cgi' script to change settings on the target user's e-mail account. The
setting changes will be accepted because the target user's login session cookies will still be valid.
A demonstration exploit
service is available at:
http://tager.org/mail.com/
|
Impact: A remote user can change a target user's e-mail account settings.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.mail.com/ (Links to External Site)
|
Cause: Input validation error
|
Reported By: "Andrew G. Tereschenko" <secure.bugtraq@tag.odessa.ua>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 29 Aug 2002 06:07:41 +0300
From: "Andrew G. Tereschenko" <secure.bugtraq@tag.odessa.ua>
Subject: [Full-Disclosure] iName/Mail.com security holes opens door to millions of e-mail accounts
|
iName/Mail.com security holes opens door to millions of e-mail accounts
Millions of free Internet e-mail accounts provided
by iName/MAIL.COM service are vulnerable to a major security
breach that allow to change account information
including password hint/answer as result a password too.
The breach work via special email message constaining javascript
code in html file attachment.
In case if user will open this email in web mail interface
this code will redirect user browser to evil site.
This site will redirect it back to mail.com page changing account information.
Because login session cookies are still valid, account information will be changed.
Here is a list of email domains hosted by MAIL.COM service:
--------
Mail.com, Email.com, consultant.com, europe.com, mindless.com,
earthling.net, myself.com, post.com, techie.com, usa.com,
writeme.com, 2die4.com, artlover.com, bikerider.com, catlover.com,
cliffhanger.com, cutey.com, doglover.com, gardener.com,
hot-shot.com, inorbit.com, loveable.com, mad.scientist.com,
playful.com, poetic.com, popstar.com, saintly.com, seductive.com,
soon.com, whoever.com, winning.com, witty.com, yours.com,
africamail.com, arcticmail.com, asia.com, australiamail.com,
europe.com, japan.com, samerica.com, usa.com, berlin.com,
dublin.com, london.com, madrid.com, moscowmail.com, munich.com,
nycmail.com, paris.com, rome.com, sanfranmail.com, singapore.com,
tokyo.com, accountant.com, adexec.com, allergist.com, alumnidirector.com,
archaeologist.com, chemist.com, clerk.com, columnist.com, comic.com,
consultant.com, counsellor.com, deliveryman.com, diplomats.com, doctor.com,
dr.com, engineer.com, execs.com, financier.com, geologist.com, graphic-designer.com,
hairdresser.net, insurer.com, journalist.com, lawyer.com, legislator.com
lobbyist.com, minister.com, musician.org, optician.com, pediatrician.com,
presidency.com, priest.com, programmer.net, publicist.com, realtyagent.com,
registerednurses.com, repairman.com, representative.com, rescueteam.com,
scientist.com, sociologist.com, teacher.com, techie.com, umpire.com
and possibly some others because mail.com hosting some non-free email ISP's
--------
Proof:
Sample page with a exploit available here: http://tager.org/mail.com/
You can request test email to be sent into your iName/MAIL.COM account.
Opening this test email will redirect your browser twice.
As result your account information will be changed to values known to evil site.
(You can check it by clicking on "My Account").
One of information changed is a Password Hint/Answer.
(I'm changing it to some random values to prevent
exploiting this hole by lame script kiddies)
In case if evil site will store information from all successful attempts
it will be able to easy obtain user's password by "Forgot Password" service.
A bit more technical details:
There is at least two bugs on mail.com used for this:
1. /scripts/mail/mesg.mail failed to remove script code from html attachment
2. /scripts/common/profile.cgi accept information submitted by untrusted servers.
Current advice to users:
There is no way to use this site without JavaScript.
(Mail.com is trying to get as many as possible money
from javascript Advertisement pop-ups)
As result there is only one way to protect yourself:
"Do not open any email's with attachments
until Mail.com will fix this bug"
Credit:
This bug was not originally found by me.
I would like to thank one "black hat" hacker (possibly from Russia)
who was trying to take control over my email account.
Feel free to contact me for more details,
--
Andrew G. Tereschenko
TAG Software, Research Lab
Odessa, Ukraine
secure@tag.odessa.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
