VSNL POP E-mail Client Discloses Account Authentication Information Via the Referer Field
|
|
SecurityTracker Alert ID: 1007691
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 13 2003
|
Impact: Disclosure of authentication information, User access via network
|
Exploit Included: Yes
|
Description: A vulnerability was reported in the VSNL POP e-mail client. A remote user can gain access to a target user's webmail account in certain cases.
It is reported that the software stores session authentication information in the URL. A remote user that can monitor the network
can capture the URL and then access the target user's account. Also, when the target user clicks on a web server link contained
within an e-mail message, the Referer field (containing the session ID) is provided to the destination web server. A remote user
with access to the web server's log files can obtain the Referer field and then access the target user's account.
It is also
reported that the session ID is only six digits. A remote user may be able to brute force guess the session ID.
|
Impact: A remote user may be able to caputre a target user's URL-based session ID and access the target user's account.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: internet.vsnl.com/ (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (Any)
|
Reported By: "Jonathan A. Zdziarski" <jonathan@nuclearelephant.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 12 Sep 2003 18:44:45 -0400
From: "Jonathan A. Zdziarski" <jonathan@nuclearelephant.com>
Subject: [Full-Disclosure] VSNL POP Webmail Referer Vulnerability
|
About VSNL POP:
VSNL POP appears to be a proprietary webmail client used by VSNL.COM's webmail subscriber service.
VSNL is a provider of IP - VPN solutions in both India and the United States with
over 1GB of Internet Bandwidth capacity who provide public webmail services on a subscription basis.
Vulnerability:
While glancing at my personal website visitors using WebPulse (a tool
bundled with WebConference LiveHelp for monitoring website visitors in
real time), I clicked on the referer for one user imparticular to see
who was linking to my site. To my shock and dismay, I was logged right
into the user's web-based mailbox and had access to their address book,
inbox, etcetera.
It appears that VSNL mail does not have any type of session-cookie
authentication as most webmail clients do, but rather stores the session
id in the URL. The result is an open hole enabling anyone to log into
the user's mailbox as long as the user is still logged in, provided they
have this information.
The obvious attack is anyone who is able to obtain the session id of the
victim from an HTTP_REFERER. This information is divulged whenever a
user clicks on a link from within their webmail.
Due to another vulnerability (the fact that the session id is only six
digits) One could theoretically also launch a brute force session id
attack on the URL in an attempt to gain access to any open
accounts...but may at least have to match the username.
Workaround:
If you are a VSNL POP webmail user, do not click on any web links
directly, but copy/paste them into your browser. Whenever you are
logged in, also remember that you are subject to a potential brute force
attack until VSNL repairs this problem.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|
