|
|
|
|
| |
| The WebMail software that is installed on comm.lycos.com, angelfire.com, eudoramail.com and other web mail providers, allows an attacker to hijack other people's attachments by modifying the hidden form fields on the compose message form. |
| |
Credit:
The information has been provided by Philip Stoev.
|
| |
If a file is attached to a mail message, the compose message form has a hidden form field that looks something like this:
filename.txt = /tmp/cache/24377.550
By setting it to a similar value, an attacker can easily send an email containing someone else's attachments. For example:
filename.txt = /tmp/cache/24377.549
It is also possible to do '../..' style directory traversal.
The nature of the problem lies in the following:
1. User is allowed to reference attachments belonging to other users; that is, no file-ownership checks are performed.
2. User input is not validated for ".." character sequences.
3. Naming of temporary files followed an easy-to-predict numbering scheme.
This problem is trivial to exploit by hand by saving the compose message HTML form locally and modifying it. However, it is imperative to note that enforcing strict user-agent, cookie and referrer check does not prevent such vulnerabilities from being exploited. There are publicly available tools (Such as ELZA) that allow for the exploitation of such vulnerabilities, while preserving stealth behavior with respect to cookies, referrers and user-agent strings to the extent required to keep the web site software happy.
Solution:
The vendor has fixed this particular problem, however all web mail vendors are hereby urged to evaluate their systems for similar problems.
|
|
|
|
|
|
|
|
|
|
