VSNL POP Webmail Referer Vulnerability

["Jonathan A. Zdziarski" <jonathan () nuclearelephant com>]

About VSNL POP:
VSNL POP appears to be a proprietary webmail client used by VSNL.COM's webmail subscriber service.
VSNL is a provider of IP - VPN solutions in both India and the United States with
over 1GB of Internet Bandwidth capacity who provide public webmail services on a subscription basis.

Vulnerability:
While glancing at my personal website visitors using WebPulse (a tool
bundled with WebConference LiveHelp for monitoring website visitors in
real time), I clicked on the referer for one user imparticular to see
who was linking to my site.  To my shock and dismay, I was logged right
into the user's web-based mailbox and had access to their address book,
inbox, etcetera.  

It appears that VSNL mail does not have any type of session-cookie
authentication as most webmail clients do, but rather stores the session
id in the URL.  The result is an open hole enabling anyone to log into
the user's mailbox as long as the user is still logged in, provided they
have this information.

The obvious attack is anyone who is able to obtain the session id of the
victim from an HTTP_REFERER.  This information is divulged whenever a
user clicks on a link from within their webmail.  

Due to another vulnerability (the fact that the session id is only six
digits) One could theoretically also launch a brute force session id
attack on the URL in an attempt to gain access to any open
accounts...but may at least have to match the username.

Workaround:
If you are a VSNL POP webmail user, do not click on any web links
directly, but copy/paste them into your browser.  Whenever you are
logged in, also remember that you are subject to a potential brute force
attack until VSNL repairs this problem.





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html