[Full-Disclosure] VSNL POP Webmail Referer Vulnerability

From: Jonathan A. Zdziarski (jonathan_at_nuclearelephant.com)
Date: 09/13/03

  • Next message: Crist J. Clark: "[Full-Disclosure] Re: BAD NEWS: Microsoft Security Bulletin MS03-032" 
    To: full-disclosure@lists.netsys.com
Date: Fri, 12 Sep 2003 20:08:01 -0400

    About VSNL POP:
    VSNL POP appears to be a proprietary webmail client used by VSNL.COM's webmail subscriber service.
    VSNL is a provider of IP - VPN solutions in both India and the United States with
    over 1GB of Internet Bandwidth capacity who provide public webmail services on a subscription basis.

    Vulnerability:
    While glancing at my personal website visitors using WebPulse (a tool
    bundled with WebConference LiveHelp for monitoring website visitors in
    real time), I clicked on the referer for one user imparticular to see
    who was linking to my site. To my shock and dismay, I was logged right
    into the user's web-based mailbox and had access to their address book,
    inbox, etcetera.

    It appears that VSNL mail does not have any type of session-cookie
    authentication as most webmail clients do, but rather stores the session
    id in the URL. The result is an open hole enabling anyone to log into
    the user's mailbox as long as the user is still logged in, provided they
    have this information.

    The obvious attack is anyone who is able to obtain the session id of the
    victim from an HTTP_REFERER. This information is divulged whenever a
    user clicks on a link from within their webmail.

    Due to another vulnerability (the fact that the session id is only six
    digits) One could theoretically also launch a brute force session id
    attack on the URL in an attempt to gain access to any open
    accounts...but may at least have to match the username.

    Workaround:
    If you are a VSNL POP webmail user, do not click on any web links
    directly, but copy/paste them into your browser. Whenever you are
    logged in, also remember that you are subject to a potential brute force
    attack until VSNL repairs this problem.

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: Crist J. Clark: "[Full-Disclosure] Re: BAD NEWS: Microsoft Security Bulletin MS03-032"

    Relevant Pages

    • [Full-Disclosure] VSNL POP Webmail Referer Vulnerability
      ... VSNL POP appears to be a proprietary webmail client used by VSNL.COM's webmail subscriber service. ... The obvious attack is anyone who is able to obtain the session id of the ...
      (Full-Disclosure)
    • RE: Incoming Messages Disappearing
      ... > downloads the messages and correctly terminating the session. ... > messages to a temp folder (via webmail), though OE still does not display the ... > We then thought maybe a corrupted dbx file in OE may be causing this. ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • Incoming Messages Disappearing
      ... downloads the messages and correctly terminating the session. ... messages to a temp folder (via webmail), though OE still does not display the ... We then thought maybe a corrupted dbx file in OE may be causing this. ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • Re: Free Webmail w/ SSL?
      ... Mail and GMail both support SSL-enabled sessions. ... Googling today I've found webmail ... but not SSL of the entire webmail session. ...
      (Security-Basics)