Webmail.bellsouth.net security problems

[wiseleo () BEST COM (Leonid S. Knyshov)]

Dear Bugtraq readers and security at Bellsouth

Upon examining my log files, I came across an interesting fact.

Background:
As part of my Internet marketing efforts, I read web log files daily to
see if anything interesting comes up.

Just today I was reading my logs this way: grep welcome.html access.log

And among others there was this entry:

*.*.*.* - - [25/Aug/1998:07:28:02 -0700] "GET /welcome.html HTTP/1.0" 20
0 4427
"http://webmail.bellsouth.net/WebEmail?FormName=ReadMail&WebMail-Action=W
ebMail-MessageContent&WebMail-MsgNdx=3&WebMail-St=&WebMail-MailBox=INBOX&SEQ=Xnn
-43_tE0_PB9GePBFs8txjXohB-IdE&WebMail-MsgCount=69&locale=en&ver=2.0.0&dyn="
"Moz
illa/3.02Gold (WinNT; I)"

Naturally that sparked my interest, so I went to that exact same URL. I
was greeted with a message that 2 hours passed and I am logged off, but
that's not a good thing.

Concerns:
Bellsouth.net webmail customers accounts may be easily abused

Investigation:
Just created an account to check out features,
POP3 access without additional authentication I presume
Oh my God... There is a tab "Personal Info" *gasp*...
Address, phone number, place of work, etc.

Obviously this is unacceptable. Incredibly easy to bypass security.

One attack would be:
to: unsuspecting_user () webmail bellsouth net
subject: check out my site!

Hey buddy, check out my site! http://www.crashproofpc.com

If they click they send me their UNLOCKED mailibox location via
HTTP_REFERER, and if I have access to log files, I can easily get into
that account and cause a great deal of trouble. I won't go into any
further details :)
--
Leonid S. Knyshov
Information Technology Consultant
Crashproof Solutions - "Keeping true to our name!"
http://www.crashproofpc.com