Bugtraq mailing list archives

Excite Email Disclosure Vulnerability

From: Jan Schaumann <jschauma () netmeister org>
Date: Mon, 18 Mar 2002 18:01:36 -0500

Hello all,

It appears that Excite's use of PHP allows for unauthorized access to a
users mailbox and subsequently his/her account on email.excite.com

Suppose a user receives an E-Mail with a URL and follows the link - the
target server receives a Referer String containing the PHPSESSION-Id
(http://e19.email.excite.com/msg_read.php?t=0&m=0&s=1&d=1&mid=157&PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
for example).

Copy and paste this into your browser and you have access to that users
mailbox.

I emailed Excite about this on March 9th, but didn't get any response.
A proposed solution for Excite would be to use cookies or to use PHP in
such a manner that it does not transmit the session-id on each link.

-Jan

-- 
finger jschauma () netmeister org
Please do not CC me when replying to messages on a Mailing List.
See Mail-Followup-To header (above) and
http://www.google.com/search?q=Mail-Followup-To+Header

Current thread:

Excite Email Disclosure Vulnerability Jan Schaumann (Mar 19)
- Re: Excite Email Disclosure Vulnerability Obscure (Mar 20)