 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
2 messages in net.sourceforge.lists.courier-users[courier-users] Re: PCL-0002: Session...| From | Sent On | Attachments |
|---|---|---|
| Bill Michell | Nov 17, 2003 4:52 pm | |
| Sam Varshavchik | Nov 17, 2003 6:14 pm |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | [courier-users] Re: PCL-0002: Session Hijacking in "Sqwebmail" | Actions... |
|---|---|---|
| From: | Sam Varshavchik (mrs...@courier-mta.com) | |
| Date: | Nov 17, 2003 6:14:44 pm | |
| List: | net.sourceforge.lists.courier-users | |
Bill Michell writes:
Hmm - I thought that sqwebmail was written to avoid this kind of vulnerability...
[ … ]
This is nonsense.
A) By default, only HTTP access from the login IP address is allowed. This can only work if: 1) The login userid explicitly unchecked the option at login time and 2) You explicitly click on a link in an E-mail.
B) All links are washed of their referral tags. There's no mention in this “report” (and I use the term loosely) if he found a way around it.
Nothing to see here, move along…
Offer this 3L1+3 D00D an opportunity to send you an E-mail with a link, click on it, and let him try to do something with your mail session.
-- Bill Michell bi...@mics.org.uk
-----Original Message----- From: Vincenzo Ciaglia [mailto:puc...@pucciolab.org] Sent: 18 November 2003 01:18 To: bugt...@securityfocus.com Subject: PCL-0002: Session Hijacking in "Sqwebmail"
--------------------------- PUCCIOLAB.ORG - ADVISORIES <http://www.pucciolab.org>
---------------------------
PCL-0002: Session Hijacking in "Sqwebmail"
--------------------------------------------------------------
------------- PuCCiOLAB.ORG Security Advisories puc...@pucciolab.org http://www.pucciolab.org Vincenzo Ciaglia November 18th, 2003
--------------------------------------------------------------
-------------
Package : Sqwebmail Vendor : Inter7 Vulnerability : access to private account without login, session hijacking Problem-Type : remote risk : low Version : All the version seems to be affected. Official Site : http://www.inter7.com/sqwebmail/sqwebmail.html N Advisories : 0002
*********************** About Sqwebmail *********************** SqWebMail is a web CGI client for sending and receiving E-mail using Maildir mailboxes. SqWebMail DOES NOT support traditional Mailbox files, only Maildirs. This is the same webmail server that's included in the Courier mail server, but packaged independently. If you already have Courier installed, you do not need to download this version.
*********************** Proof of concepts ************************ An attacker could send an email to a victim who used SQWEBMAIL, to get the victim to visit a website, which then logs all available information about the victim's system.
Example:
------------------- MY STAT FOR MY WEBSITE - REFERENT DOMAIN http://mailserver.society.com/cgi-bin/sqwebmail/login/mail%40s
erver.org.authvchkpw/3247A0578D6F3E74F37A20FF37B52A1C/1069089171?folder=Tras h&form=folders
In this example, the victim has visualized our website reading the mail that we have sent to him. Visiting the link is been marked from our counter. Now we will be able to access to the victim's mail page admin and will be able to read and to send, calmly, its email without make login. The session comes sluice after approximately 20/30 minutes and the attacker has the time to make its comfortable ones.
************************* What could make a attacker? ************************* Read, write and fake your e-mail. Could send , from you email address, a mail to your ISP and ask it User e PASS of your website. The consequences would be catastrophic.
************************* What I can do ? ************************* Actually seems that there isn't a patch for this problem.
************************* Suggestion to SQWEBMAIL ************************* It would have to reduce the time for the closing of the sessions.
Greet, Vincenzo Ciaglia puc...@pucciolab.org
------------------------------------------------------- This SF. Net email is sponsored by: GoToMyPC GoToMyPC is the fast, easy and secure way to access your computer from any Web browser or wireless device. Click here to Try it Free! https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
_______________________________________________ courier-users mailing list cour...@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users