Bugtraq mailing list archives

Re: Webmail.bellsouth.net security problems

From: joe () BLARG NET (Joe)
Date: Fri, 28 Aug 1998 14:05:26 -0700


http://www.news.com/News/Item/0,4,25830,00.html

(Leonard got a nice plug for his site by they way :)

Bellsouth says they've fixed their Webmailer. It now checks the IP address
to make sure it matches the IP they authenticated with.

Gee, someone with access to server log files might also be savvy enough to
spoof an ip address. Ya think?

This isn't a patch it's a band-aide.


On Tue, 25 Aug 1998, Leonid S. Knyshov wrote:

Dear Bugtraq readers and security at Bellsouth

Upon examining my log files, I came across an interesting fact.

Background:
As part of my Internet marketing efforts, I read web log files daily to
see if anything interesting comes up.

Just today I was reading my logs this way: grep welcome.html access.log

And among others there was this entry:

*.*.*.* - - [25/Aug/1998:07:28:02 -0700] "GET /welcome.html HTTP/1.0" 20
0 4427
"http://webmail.bellsouth.net/WebEmail?FormName=ReadMail&WebMail-Action=W
ebMail-MessageContent&WebMail-MsgNdx=3&WebMail-St=&WebMail-MailBox=INBOX&SEQ=Xnn
-43_tE0_PB9GePBFs8txjXohB-IdE&WebMail-MsgCount=69&locale=en&ver=2.0.0&dyn="
"Moz
illa/3.02Gold (WinNT; I)"

Naturally that sparked my interest, so I went to that exact same URL. I
was greeted with a message that 2 hours passed and I am logged off, but
that's not a good thing.

Concerns:
Bellsouth.net webmail customers accounts may be easily abused

Investigation:
Just created an account to check out features,
POP3 access without additional authentication I presume
Oh my God... There is a tab "Personal Info" *gasp*...
Address, phone number, place of work, etc.

Obviously this is unacceptable. Incredibly easy to bypass security.

One attack would be:
to: unsuspecting_user () webmail bellsouth net
subject: check out my site!

Hey buddy, check out my site! http://www.crashproofpc.com

If they click they send me their UNLOCKED mailibox location via
HTTP_REFERER, and if I have access to log files, I can easily get into
that account and cause a great deal of trouble. I won't go into any
further details :)
--
Leonid S. Knyshov
Information Technology Consultant
Crashproof Solutions - "Keeping true to our name!"
http://www.crashproofpc.com


--
Joe H.                                  Technical Support
General Support:  support () blarg net     Blarg! Online Services, Inc.
Voice:  425/401-9821 or 888/66-BLARG    http://www.blarg.net

Current thread:

Serious Security Hole in Hotmail Tom Cervenka (Aug 24)
- Re: Serious Security Hole in Hotmail Jeff Mcadams (Aug 25)
  - Re: Serious Security Hole in Hotmail Jonathan A. Zdziarski - Systems Administrator (Aug 25)
  - Webmail.bellsouth.net security problems Leonid S. Knyshov (Aug 25)
    - Re: Webmail.bellsouth.net security problems Marc Slemko (Aug 25)
    - Re: Webmail.bellsouth.net security problems Edward S. Marshall (Aug 25)
    - Re: Webmail.bellsouth.net security problems Kragen (Aug 25)
    - [paul () boehm org: [cert-advisory () cert org: CERT Summary CS-98.07]] Paul Boehm (Aug 26)
    - [djb () redhat com: Unidentified subject!] Paul Boehm (Aug 26)
    - SV: Serious Security Hole in Hotmail Jonathan James (Aug 26)
    - Re: Webmail.bellsouth.net security problems Joe (Aug 28)
    - [SECURITY] Seyon is vulnerable to a root exploit Martin Schulze (Aug 28)
    - Update on Linux unfsd Olaf Kirch (Aug 29)
    - Buffer overflows in Minicom 1.80.1 Eduardo Navarro (Aug 29)
    - Re: Buffer overflows in Minicom 1.80.1 Alan Brown (Aug 29)
    - Re: Buffer overflows in Minicom 1.80.1 M.C.Mar (Aug 31)
    - Re: Buffer overflows in Minicom 1.80.1 Wichert Akkerman (Aug 31)
    - buffer overflow in nslookup? Peter van Dijk (Aug 29)
    - Re: buffer overflow in nslookup? Brandon Reynolds (Aug 29)
    - Re: buffer overflow in nslookup? Peter van Dijk (Aug 30)
    - FreeBSD's RST validation Tristan Horn (Aug 30)

(Thread continues...)