lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 18 Nov 2003 02:18:04 +0100 (CET)
From: Vincenzo Ciaglia <puccio@...ciolab.org>
To: bugtraq@...urityfocus.com
Subject: PCL-0002: Session Hijacking in "Sqwebmail"


---------------------------
PUCCIOLAB.ORG - ADVISORIES
<http://www.pucciolab.org>
---------------------------

PCL-0002: Session Hijacking in "Sqwebmail"

---------------------------------------------------------------------------
PuCCiOLAB.ORG Security Advisories                    puccio@...ciolab.org
http://www.pucciolab.org                             Vincenzo Ciaglia
November 18th, 2003
---------------------------------------------------------------------------

Package        : Sqwebmail
Vendor         : Inter7
Vulnerability  : access to private account without login, session
hijacking
Problem-Type   : remote
risk           : low
Version        : All the version seems to be affected.
Official Site  : http://www.inter7.com/sqwebmail/sqwebmail.html
N Advisories  : 0002

***********************
About Sqwebmail
***********************
SqWebMail is a web CGI client for sending and receiving E-mail using
Maildir mailboxes. SqWebMail DOES NOT support
traditional Mailbox files, only Maildirs. This is the same webmail server
that's included in the Courier mail server,
but packaged independently. If you already have Courier installed, you do
not need to download this version.

***********************
Proof of concepts
************************
An attacker could send an email to a victim who used SQWEBMAIL, to get the
victim to visit a website, which then logs all
available information about the victim's system.

Example:
-------------------
MY STAT FOR MY WEBSITE - REFERENT DOMAIN
http://mailserver.society.com/cgi-bin/sqwebmail/login/mail%40server.org.authvchkpw/3247A0578D6F3E74F37A20FF37B52A1C/1069089171?folder=Trash&form=folders


In this example, the victim has visualized our website reading the mail
that we have sent to him. Visiting the link is been
marked from our counter. Now we will be able to access to the victim's
mail page admin and will be able to read and to send, calmly,
its email without make login. The session comes sluice after approximately
20/30 minutes and the attacker has the time
to make its comfortable ones.

*************************
What could make a attacker?
*************************
Read, write and fake your e-mail. Could send , from you email address, a
mail to your ISP and ask it User e PASS of your
website. The consequences would be catastrophic.

*************************
What I can do ?
*************************
Actually seems that there isn't a patch for this problem.

*************************
Suggestion to SQWEBMAIL
*************************
It would have to reduce the time for the closing of the sessions.

Greet,
Vincenzo Ciaglia
puccio@...ciolab.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ