Full Disclosure mailing list archives
VSNL POP Webmail Referer Vulnerability
From: "Jonathan A. Zdziarski" <jonathan () nuclearelephant com>
Date: Fri, 12 Sep 2003 20:08:01 -0400
About VSNL POP: VSNL POP appears to be a proprietary webmail client used by VSNL.COM's webmail subscriber service. VSNL is a provider of IP - VPN solutions in both India and the United States with over 1GB of Internet Bandwidth capacity who provide public webmail services on a subscription basis. Vulnerability: While glancing at my personal website visitors using WebPulse (a tool bundled with WebConference LiveHelp for monitoring website visitors in real time), I clicked on the referer for one user imparticular to see who was linking to my site. To my shock and dismay, I was logged right into the user's web-based mailbox and had access to their address book, inbox, etcetera. It appears that VSNL mail does not have any type of session-cookie authentication as most webmail clients do, but rather stores the session id in the URL. The result is an open hole enabling anyone to log into the user's mailbox as long as the user is still logged in, provided they have this information. The obvious attack is anyone who is able to obtain the session id of the victim from an HTTP_REFERER. This information is divulged whenever a user clicks on a link from within their webmail. Due to another vulnerability (the fact that the session id is only six digits) One could theoretically also launch a brute force session id attack on the URL in an attempt to gain access to any open accounts...but may at least have to match the username. Workaround: If you are a VSNL POP webmail user, do not click on any web links directly, but copy/paste them into your browser. Whenever you are logged in, also remember that you are subject to a potential brute force attack until VSNL repairs this problem. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- VSNL POP Webmail Referer Vulnerability Jonathan A. Zdziarski (Sep 12)
- <Possible follow-ups>
- VSNL POP Webmail Referer Vulnerability Jonathan A. Zdziarski (Sep 12)